CWE-88— Argument Injection or Modification

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of …

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of …

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of …

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of …

A vulnerability in the CLI of Cisco NX-OS Software and Cisco FXOS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to ins…

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to insufficient validation of …

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges on the underlying operating system of an affected device. The vulnerability is due to in…

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device with elevated privileges. The vu…

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying operating system of an affected device w…

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to in…

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to in…

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vul…

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerability is due to insufficie…

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with valid administrator credentials to execute arbitrary commands on the underlying operating system of an affected device. The vulnerability …

A vulnerability in the CLI of Cisco NX-OS Software could allow an authenticated, local attacker with administrator credentials to execute arbitrary commands with elevated privileges on the underlying operating system of an affected device.…

A vulnerability in the CLI of Cisco FXOS Software and Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with the privilege level of root. The vulnerabil…

An issue was discovered in Symfony 2.8.0 through 2.8.50, 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. If an application passes unvalidated user input as the file for which MIME type validation should occur, then arb…

Insufficient sanitization of arguments passed to rsync can bypass the restrictions imposed by rssh, a restricted shell that should restrict users to perform only rsync operations, resulting in the execution of arbitrary shell commands.

Crestron AM-100 with firmware 1.6.0.2 and AM-101 with firmware 2.7.0.2 are vulnerable to argumention injection to the curl binary via crafted HTTP requests to return.cgi. A remote, authenticated attacker can use this vulnerability to uploa…

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the startProcess command. The command takes a user-supplied script argument and executes it under root context. A user…

An exploitable privilege escalation vulnerability exists in the Wacom, driver version 6.3.32-3, update helper service in the start/stopLaunchDProcess command. The command takes a user-supplied string argument and executes launchctl under r…

Incorrect command line processing in Chrome in Google Chrome prior to 73.0.3683.75 allowed a local attacker to perform domain spoofing via a crafted domain name.

mIRC before 7.55 allows remote command execution by using argument injection through custom URI protocol handlers. The attacker can specify an irc:// URI that loads an arbitrary .ini file from a UNC share pathname. Exploitation depends on …

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.

A vulnerability was discovered where specific command line arguments are not properly discarded during Firefox invocation as a shell handler for URLs. This could be used to retrieve and execute files whose location is supplied through thes…

rcube_image.php in Roundcube Webmail before 1.4.4 allows attackers to execute arbitrary code via shell metacharacters in a configuration setting for im_convert_path or im_identify_path.

TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers. A malicious website could launch TeamViewer with arbitrary parameters, as demonstrated by a teamviewer10: --play URL. An attacker could force a v…

An issue was discovered in Ozeki NG SMS Gateway through 4.17.6. The database connection strings accept custom unsafe arguments, such as ENABLE_LOCAL_INFILE, that can be leveraged by attackers to enable MySQL Load Data Local (rogue MySQL se…

Viber for Windows up to 13.2.0.39 does not properly quote its custom URI handler. A malicious website could launch Viber with arbitrary parameters, forcing a victim to send an NTLM authentication request, and either relay the request or ca…

aaPanel through 6.6.6 allows remote authenticated users to execute arbitrary commands via the Script Content box on the Add Cron Job screen.

Blueman is a GTK+ Bluetooth Manager. In Blueman before 2.1.4, the DhcpClient method of the D-Bus interface to blueman-mechanism is prone to an argument injection vulnerability. The impact highly depends on the system configuration. If Polk…

In Nim 1.2.4, the standard library browsers mishandles the URL argument to browsers.openDefaultBrowser. This argument can be a local file path that will be opened in the default explorer. An attacker can pass one argument to the underlying…

Firejail through 0.9.62 does not honor the -- end-of-options indicator after the --output option, which may lead to command injection.

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible…

DrayTek Vigor2960 1.5.1 allows remote command execution via shell metacharacters in a toLogin2FA action to mainfunction.cgi.

A Remote Code Execution vulnerability has been found in Inspur ClusterEngine V4.0. A remote attacker can send a malicious login packet to the control server

Remote Code Execution can occur via the external news feed in ILIAS 6.4 because of incorrect parameter sanitization for Magpie RSS data.

Xinuos (formerly SCO) Openserver v5 and v6 allows attackers to execute arbitrary commands via shell metacharacters in outputform or toclevels parameter to cgi-bin/printbook.

A vulnerability in the remote management feature of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to inject arbitrary commands and potentially gain elevated privileges. The vulnerability is due to improper vali…

Exim 4 before 4.94.2 has Improper Neutralization of Line Delimiters, relevant in non-default configurations that enable Delivery Status Notification (DSN). Certain uses of ORCPT= can place a newline into a spool header file, and indirectly…

Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive.

A vulnerability in the CLI of Cisco Data Center Network Manager (DCNM) could allow an authenticated, local attacker to elevate privileges to root and execute arbitrary commands on the underlying operating system. The vulnerability is due t…

Dolibarr 12.0.3 is vulnerable to authenticated Remote Code Execution. An attacker who has the access the admin dashboard can manipulate the backup function by inserting a payload into the filename for the zipfilename_template parameter to …

A Command Injection issue in the traceroute feature on TP-Link TL-WR841N V13 (JP) with firmware versions prior to 201216 allows authenticated users to execute arbitrary code as root via shell metacharacters, a different vulnerability than …

IBM Spectrum Scale V5.0.0.0 through V5.0.4.3 and V4.2.0.0 through V4.2.3.21 could allow a local attacker to cause a denial of service crashing the kernel by sending a subset of ioctls on the device with invalid arguments. IBM X-Force ID: 1…

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier allows an atta…

TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command…

Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in TCP/IP function included in the firmware of GT14 Model of GOT 1000 series (GT1455-QTBDE CoreOS version "05.65.00.BD" and earlier, GT1450-QM…

Improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability in TCP/IP function included in the firmware of MELSEC iQ-R series (RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial num…

Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.