CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-78

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2017-14500 78 Exec Code 2017-09-17 2017-11-03
6.8
None Remote Medium Not required Partial Partial Partial
Improper Neutralization of Special Elements used in an OS Command in the podcast playback function of Podbeuter in Newsbeuter 0.3 through 2.9 allows remote attackers to perform user-assisted code execution by crafting an RSS item with a media enclosure (i.e., a podcast file) that includes shell metacharacters in its filename, related to pb_controller.cpp and queueloader.cpp, a different vulnerability than CVE-2017-12904.
2 CVE-2017-14135 78 Exec Code 2017-09-04 2017-09-12
10.0
None Remote Low Not required Complete Complete Complete
enigma2-plugins/blob/master/webadmin/src/WebChilds/Script.py in the webadmin plugin for opendreambox 2.0.0 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the command parameter to the /script URI.
3 CVE-2017-14127 78 Exec Code 2017-09-04 2017-09-08
10.0
None Remote Low Not required Complete Complete Complete
Command Injection in the Ping Module in the Web Interface on Technicolor TD5336 OI_Fw_v7 devices allows remote attackers to execute arbitrary OS commands as root via shell metacharacters in the pingAddr parameter to mnt_ping.cgi.
4 CVE-2017-14001 78 Exec Code 2017-09-25 2017-10-10
9.0
None Remote Low Single system Complete Complete Complete
An Improper Neutralization of Special Elements used in an OS Command issue was discovered in Digium Asterisk GUI 2.1.0 and prior. An OS command injection vulnerability has been identified that may allow the execution of arbitrary code on the system through the inclusion of OS commands in the URL request of the program.
5 CVE-2017-12581 78 Exec Code Bypass 2017-08-05 2017-08-14
9.3
None Remote Medium Not required Complete Complete Complete
GitHub Electron before 1.6.8 allows remote command execution because of a nodeIntegration bypass vulnerability. This also affects all applications that bundle Electron code equivalent to 1.6.8 or earlier. Bypassing the Same Origin Policy (SOP) is a precondition; however, recent Electron versions do not have strict SOP enforcement. Combining an SOP bypass with a privileged URL internally used by Electron, it was possible to execute native Node.js primitives in order to run OS commands on the user's host. Specifically, a chrome-devtools://devtools/bundled/inspector.html window could be used to eval a Node.js child_process.execFile API call.
6 CVE-2017-11318 78 Exec Code 2017-07-17 2017-08-07
6.8
None Remote Medium Not required Partial Partial Partial
Cobian Backup 11 client allows man-in-the-middle attackers to add and execute new backup tasks when the master server is spoofed. In addition, the attacker can execute system commands remotely by abusing pre-backup events.
7 CVE-2017-10832 78 Exec Code 2017-08-28 2017-08-31
10.0
None Remote Low Not required Complete Complete Complete
"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
8 CVE-2017-10813 78 Exec Code 2017-09-15 2017-09-20
7.7
None Local Network Low Single system Complete Complete Complete
CG-WLR300NM Firmware version 1.90 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
9 CVE-2017-10811 78 Exec Code 2017-08-18 2017-08-25
7.7
None Local Network Low Single system Complete Complete Complete
Buffalo WCR-1166DS devices with firmware 1.30 and earlier allow an attacker to execute arbitrary OS commands via unspecified vectors.
10 CVE-2017-9736 78 Exec Code 2017-06-17 2017-11-03
7.5
None Remote Low Not required Partial Partial Partial
SPIP 3.1.x before 3.1.6 and 3.2.x before Beta 3 does not remove shell metacharacters from the host field, allowing a remote attacker to cause remote code execution.
11 CVE-2017-8768 78 Exec Code 2017-05-04 2017-05-17
10.0
None Remote Low Not required Complete Complete Complete
Atlassian SourceTree v2.5c and prior are affected by a command injection in the handling of the sourcetree:// scheme. It will lead to arbitrary OS command execution with a URL substring of sourcetree://cloneRepo/ext:: or sourcetree://checkoutRef/ext:: followed by the command. The Atlassian ID number is SRCTREE-4632.
12 CVE-2017-7175 78 Exec Code 2017-07-10 2017-07-13
9.0
None Remote Low Single system Complete Complete Complete
NfSen before 1.3.8 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the customfmt parameter (aka the "Custom output format" field).
13 CVE-2017-6884 78 Exec Code 2017-04-06 2017-04-12
9.0
None Remote Low Single system Complete Complete Complete
A command injection vulnerability was discovered on the Zyxel EMG2926 home router with firmware V1.00(AAQT.4)b8. The vulnerability is located in the diagnostic tools, specifically the nslookup function. A malicious user may exploit numerous vectors to execute arbitrary commands on the router, such as the ping_ip parameter to the expert/maintenance/diagnostic/nslookup URI.
14 CVE-2017-6796 78 Exec Code 2017-09-07 2017-09-15
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in the USB-modem code of Cisco IOS XE Software running on Cisco ASR 920 Series Aggregation Services Routers could allow an authenticated, local attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. The vulnerability is due to improper input validation of the platform usb modem command in the CLI of the affected software. An attacker could exploit this vulnerability by modifying the platform usb modem command in the CLI of an affected device. A successful exploit could allow the attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. Cisco Bug IDs: CSCve48949.
15 CVE-2017-6714 78 Exec Code 2017-07-05 2017-07-07
10.0
None Remote Low Not required Complete Complete Complete
A vulnerability in the AutoIT service of Cisco Ultra Services Framework Staging Server could allow an unauthenticated, remote attacker to execute arbitrary shell commands as the Linux root user. The vulnerability is due to improper shell invocations. An attacker could exploit this vulnerability by crafting CLI command inputs to execute Linux shell commands as the root user. This vulnerability affects all releases of Cisco Ultra Services Framework Staging Server prior to Releases 5.0.3 and 5.1. Cisco Bug IDs: CSCvc76673.
16 CVE-2017-6712 78 2017-07-05 2017-07-07
9.0
None Remote Low Single system Complete Complete Complete
A vulnerability in certain commands of Cisco Elastic Services Controller could allow an authenticated, remote attacker to elevate privileges to root and run dangerous commands on the server. The vulnerability occurs because a "tomcat" user on the system can run certain shell commands, allowing the user to overwrite any file on the filesystem and elevate privileges to root. This vulnerability affects Cisco Elastic Services Controller prior to releases 2.3.1.434 and 2.3.2. Cisco Bug IDs: CSCvc76634.
17 CVE-2017-6710 78 2017-08-17 2017-08-25
8.5
None Remote Low Single system None Complete Complete
A vulnerability in the Cisco Virtual Network Function (VNF) Element Manager could allow an authenticated, remote attacker to elevate privileges and run commands in the context of the root user on the server. The vulnerability is due to command settings that allow Cisco VNF Element Manager users to specify arbitrary commands that will run as root on the server. An attacker could use this setting to elevate privileges and run commands in the context of the root user on the server. Cisco Bug IDs: CSCvc76670. Known Affected Releases: prior to 5.0.4 and 5.1.4.
18 CVE-2017-6707 78 Exec Code 2017-07-05 2017-07-07
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in the CLI command-parsing code of the Cisco StarOS operating system for Cisco ASR 5000 Series 11.0 through 21.0, 5500 Series, and 5700 Series devices and Cisco Virtualized Packet Core (VPC) Software could allow an authenticated, local attacker to break from the StarOS CLI of an affected system and execute arbitrary shell commands as a Linux root user on the system, aka Command Injection. The vulnerability exists because the affected operating system does not sufficiently sanitize commands before inserting them into Linux shell commands. An attacker could exploit this vulnerability by submitting a crafted CLI command for execution in a Linux shell command as a root user. Cisco Bug IDs: CSCvc69329, CSCvc72930.
19 CVE-2017-6683 78 Exec Code 2017-06-13 2017-06-23
9.0
None Remote Low Single system Complete Complete Complete
A vulnerability in the esc_listener.py script of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to execute arbitrary commands as the tomcat user on an affected system, aka an Authentication Request Processing Arbitrary Command Execution Vulnerability. More Information: CSCvc76642. Known Affected Releases: 2.2(9.76).
20 CVE-2017-6682 78 2017-06-13 2017-06-23
6.5
None Remote Low Single system Partial Partial Partial
A vulnerability in the ConfD CLI of Cisco Elastic Services Controllers could allow an authenticated, remote attacker to run arbitrary commands as the Linux tomcat user on an affected system. More Information: CSCvc76620. Known Affected Releases: 2.2(9.76).
21 CVE-2017-6606 78 Exec Code 2017-04-07 2017-07-11
6.9
None Local Medium Not required Complete Complete Complete
A vulnerability in a startup script of Cisco IOS XE Software could allow an unauthenticated attacker with physical access to the targeted system to execute arbitrary commands on the underlying operating system with the privileges of the root user. More Information: CSCuz06639 CSCuz42122. Known Affected Releases: 15.6(1.1)S 16.1.2 16.2.0 15.2(1)E. Known Fixed Releases: Denali-16.1.3 16.2(1.8) 16.1(2.61) 15.6(2)SP 15.6(2)S1 15.6(1)S2 15.5(3)S3a 15.5(3)S3 15.5(2)S4 15.5(1)S4 15.4(3)S6a 15.4(3)S6 15.3(3)S8a 15.3(3)S8 15.2(5)E 15.2(4)E3 15.2(3)E5 15.0(2)SQD3 15.0(1.9.2)SQD3 3.9(0)E.
22 CVE-2017-6597 78 2017-04-07 2017-07-11
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in the local-mgmt CLI command of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61394 CSCvb86816. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1658) 2.0(1.115).
23 CVE-2017-6320 78 Exec Code +Priv 2017-07-18 2017-08-15
9.0
None Remote Low Single system Complete Complete Complete
A remote command injection vulnerability exists in the Barracuda Load Balancer product line (confirmed on v5.4.0.004 (2015-11-26) and v6.0.1.006 (2016-08-19); fixed in 6.1.0.003 (2017-01-17)) in which an authenticated user can execute arbitrary shell commands and gain root privileges. The vulnerability stems from unsanitized data being processed in a system call when the delete_assessment command is issued.
24 CVE-2017-6223 78 Exec Code 2017-10-13 2017-10-27
9.3
None Remote Medium Not required Complete Complete Complete
Ruckus Wireless Zone Director Controller firmware releases ZD9.9.x, ZD9.10.x, ZD9.13.0.x less than 9.13.0.0.232 contain OS Command Injection vulnerabilities in the ping functionality that could allow local authenticated users to execute arbitrary privileged commands on the underlying operating system.
25 CVE-2017-6077 78 Exec Code 2017-02-22 2017-03-01
10.0
None Remote Low Not required Complete Complete Complete
ping.cgi on NETGEAR DGN2200 devices with firmware through 10.0.0.50 allows remote authenticated users to execute arbitrary OS commands via shell metacharacters in the ping_IPAddr field of an HTTP POST request.
26 CVE-2017-5330 78 Exec Code 2017-03-27 2017-03-31
6.8
None Remote Medium Not required Partial Partial Partial
ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications.
27 CVE-2017-3806 78 Exec Code 2017-02-03 2017-02-27
4.6
None Local Low Not required Partial Partial Partial
A vulnerability in CLI command processing in the Cisco Firepower 4100 Series Next-Generation Firewall and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to inject arbitrary shell commands that are executed by the device. More Information: CSCvb61343. Known Affected Releases: 2.0(1.68). Known Fixed Releases: 2.0(1.118) 2.1(1.47) 92.1(1.1646) 92.1(1.1763) 92.2(1.101).
28 CVE-2017-3796 78 Exec Code 2017-01-26 2017-07-25
6.5
None Remote Low Single system Partial Partial Partial
A vulnerability in Cisco WebEx Meetings Server could allow an authenticated, remote attacker to execute predetermined shell commands on other hosts. More Information: CSCuz03353. Known Affected Releases: 2.6.
29 CVE-2017-2281 78 Exec Code 2017-08-02 2017-08-08
8.3
None Local Network Low Not required Complete Complete Complete
WN-AX1167GR firmware version 3.00 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
30 CVE-2017-2275 78 Exec Code 2017-07-21 2017-07-26
9.0
None Remote Low Single system Complete Complete Complete
WG-C10 v3.0.79 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
31 CVE-2017-2237 78 Exec Code 2017-07-07 2017-07-14
10.0
None Remote Low Not required Complete Complete Complete
Toshiba Home gateway HEM-GW16A firmware HEM-GW16A-FW-V1.2.0 and earlier. Toshiba Home gateway HEM-GW26A firmware HEM-GW26A-FW-V1.2.0 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.
32 CVE-2017-2185 78 Exec Code 2017-07-07 2017-07-14
5.2
None Local Network Low Single system Partial Partial Partial
HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via WebUI.
33 CVE-2017-2183 78 Exec Code 2017-07-07 2017-07-14
5.2
None Local Network Low Single system Partial Partial Partial
HOME SPOT CUBE2 firmware V101 and earlier allows authenticated attackers to execute arbitrary OS commands via Clock Settings.
34 CVE-2017-2152 78 Exec Code 2017-04-28 2017-05-05
5.2
None Local Network Low Single system Partial Partial Partial
WNC01WH firmware 1.0.0.9 and earlier allows authenticated attackers to execute arbitrary OS commands via unspecified vectors.
35 CVE-2017-2141 78 Exec Code 2017-04-28 2017-05-05
9.0
None Remote Low Single system Complete Complete Complete
WN-G300R3 firmware 1.03 and earlier allows attackers with administrator rights to execute arbitrary OS commands via unspecified vectors.
36 CVE-2017-2128 78 Exec Code 2017-04-28 2017-05-05
6.8
None Remote Medium Not required Partial Partial Partial
Security guide for website operators allows remote attackers to execute arbitrary OS commands via specially crafted saved data.
37 CVE-2017-2112 78 Exec Code 2017-04-28 2017-05-11
8.3
None Local Network Low Not required Complete Complete Complete
TS-WPTCAM firmware version 1.18 and earlier, TS-WPTCAM2 firmware version 1.00, TS-WLCE firmware version 1.18 and earlier, TS-WLC2 firmware version 1.18 and earlier, TS-WRLC firmware version 1.17 and earlier, TS-PTCAM firmware version 1.18 and earlier, TS-PTCAM/POE firmware version 1.18 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
38 CVE-2017-2096 78 Exec Code 2017-04-28 2017-05-09
10.0
None Remote Low Not required Complete Complete Complete
smalruby-editor v0.4.0 and earlier allows remote attackers to execute arbitrary OS commands via unspecified vectors.
39 CVE-2017-1318 78 Exec Code 2017-07-18 2017-07-28
9.0
None Remote Low Single system Complete Complete Complete
IBM MQ Appliance 8.0 and 9.0 could allow an authenticated messaging administrator to execute arbitrary commands on the system, caused by command execution. IBM X-Force ID: 125730.
40 CVE-2017-1253 78 Exec Code 2017-07-05 2017-07-17
6.5
None Remote Low Single system Partial Partial Partial
IBM Security Guardium 10.0 could allow a remote authenticated attacker to execute arbitrary commands on the system. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system. IBM X-Force ID: 124633.
41 CVE-2016-1000216 78 2016-10-10 2017-07-06
9.0
None Remote Low Single system Complete Complete Complete
Ruckus Wireless H500 web management interface authenticated command injection
42 CVE-2016-10320 78 2017-04-06 2017-04-12
9.3
None Remote Medium Not required Complete Complete Complete
textract before 1.5.0 allows OS Command Injection attacks via a filename in a call to the process function. This may be a remote attack if a web application accepts names of arbitrary uploaded files.
43 CVE-2016-10043 78 Exec Code 2017-01-31 2017-03-13
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered in Radisys MRF Web Panel (SWMS) 9.0.1. The MSM_MACRO_NAME POST parameter in /swms/ms.cgi was discovered to be vulnerable to OS command injection attacks. It is possible to use the pipe character (|) to inject arbitrary OS commands and retrieve the output in the application's responses. Attackers could execute unauthorized commands, which could then be used to disable the software, or read, write, and modify data for which the attacker does not have permissions to access directly. Since the targeted application is directly executing the commands instead of the attacker, any malicious activities may appear to come from the application or the application's owner (apache user).
44 CVE-2016-9091 78 Exec Code 2017-04-05 2017-08-15
9.0
None Remote Low Single system Complete Complete Complete
Blue Coat Advanced Secure Gateway (ASG) 6.6 before 6.6.5.4 and Content Analysis System (CAS) 1.3 before 1.3.7.4 are susceptible to an OS command injection vulnerability. An authenticated malicious administrator can execute arbitrary OS commands with elevated system privileges.
45 CVE-2016-8721 78 2017-04-20 2017-04-26
9.0
None Remote Low Single system Complete Complete Complete
An exploitable OS Command Injection vulnerability exists in the web application 'ping' functionality of Moxa AWK-3131A Wireless Access Points running firmware 1.1. Specially crafted web form input can cause an OS Command Injection resulting in complete compromise of the vulnerable device. An attacker can exploit this vulnerability remotely.
46 CVE-2016-7844 78 Exec Code 2017-08-02 2017-08-03
6.0
None Remote Medium Single system Partial Partial Partial
GigaCC OFFICE ver.2.3 and earlier allows remote attackers to execute arbitrary OS commands via specially crafted mail template.
47 CVE-2016-7819 78 Exec Code 2017-06-09 2017-06-16
9.0
None Remote Low Single system Complete Complete Complete
I-O DATA DEVICE TS-WRLP firmware version 1.01.02 and earlier and TS-WRLA firmware version 1.01.02 and earlier allows an attacker with administrator rights to execute arbitrary OS commands via unspecified vectors.
48 CVE-2016-7806 78 Exec Code 2017-06-09 2017-06-15
10.0
None Remote Low Not required Complete Complete Complete
I-O DATA DEVICE WFS-SR01 firmware version 1.10 and earlier allow remote attackers to execute arbitrary OS commands via unspecified vectors.
49 CVE-2016-6631 78 Exec Code 2016-12-10 2017-06-30
8.5
None Remote Medium Single system Complete Complete Complete
An issue was discovered in phpMyAdmin. A user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh. All 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and 4.0.x versions (prior to 4.0.10.17) are affected.
50 CVE-2016-6459 78 Exec Code 2016-11-18 2017-07-28
4.9
None Local Low Not required Complete None None
Cisco TelePresence endpoints running either CE or TC software contain a vulnerability that could allow an authenticated, local attacker to execute a local shell command injection. More Information: CSCvb25010. Known Affected Releases: 8.1.x. Known Fixed Releases: 6.3.4 7.3.7 8.2.2 8.3.0.
Total number of vulnerabilities : 269   Page : 1 (This Page)2 3 4 5 6
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.