CVEdetails.com the ultimate security vulnerability data source
(e.g.: CVE-2009-1234 or 2010-1234 or 20101234)
Log In   Register
Vulnerability Feeds & WidgetsNew   www.itsecdb.com  

Security Vulnerabilities Related To CWE-78

Press ESC to close
# CVE ID CWE ID # of Exploits Vulnerability Type(s) Publish Date Update Date Score Gained Access Level Access Complexity Authentication Conf. Integ. Avail.
1 CVE-2019-1010200 78 Exec Code 2019-07-23 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Voice Builder Prior to commit c145d4604df67e6fc625992412eef0bf9a85e26b and f6660e6d8f0d1d931359d591dbdec580fef36d36 is affected by: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). The impact is: Remote code execution with the same privileges as the servers. The component is: Two web servers in the projects expose three vulnerable endpoints that can be accessed remotely. The endpoints are defined at: - /tts: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/merlin_model_server/api.js#L34 - /alignment: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/festival_model_server/api.js#L28 - /tts: https://github.com/google/voice-builder/blob/3a449a3e8d5100ff323161c89b897f6d5ccdb6f9/festival_model_server/api.js#L65. The attack vector is: Attacker sends a GET request to the vulnerable endpoint with a specially formatted query parameter. The fixed version is: After commit f6660e6d8f0d1d931359d591dbdec580fef36d36.
2 CVE-2019-17510 78 Exec Code 2019-10-11 2019-10-15
10.0
None Remote Low Not required Complete Complete Complete
D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetWizardConfig with shell metacharacters to /squashfs-root/www/HNAP1/control/SetWizardConfig.php.
3 CVE-2019-17509 78 Exec Code 2019-10-11 2019-10-15
10.0
None Remote Low Not required Complete Complete Complete
D-Link DIR-846 devices with firmware 100A35 allow remote attackers to execute arbitrary OS commands as root by leveraging admin access and sending a /HNAP1/ request for SetMasterWLanSettings with shell metacharacters to /squashfs-root/www/HNAP1/control/SetMasterWLanSettings.php.
4 CVE-2019-17269 78 Exec Code 2019-10-06 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Intellian Remote Access 3.18 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the Ping Test field.
5 CVE-2019-16920 78 Exec Code 2019-09-27 2019-10-10
10.0
None Remote Low Not required Complete Complete Complete
Unauthenticated remote code execution occurs in D-Link products such as DIR-655C, DIR-866L, DIR-652, and DHP-1565. The issue occurs when the attacker sends an arbitrary input to a "PingTest" device common gateway interface that could lead to common injection. An attacker who successfully triggers the command injection could achieve full system compromise. Later, it was independently found that these are also affected: DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, and DIR-825.
6 CVE-2019-16718 78 Exec Code 2019-09-23 2019-09-23
6.8
None Remote Medium Not required Partial Partial Partial
In radare2 before 3.9.0, a command injection vulnerability exists in bin_symbols() in libr/core/cbin.c. By using a crafted executable file, it's possible to execute arbitrary shell commands with the permissions of the victim. This vulnerability is due to an insufficient fix for CVE-2019-14745 and improper handling of symbol names embedded in executables.
7 CVE-2019-16701 78 2019-09-25 2019-09-25
9.0
None Remote Low Single system Complete Complete Complete
pfSense through 2.3.4 through 2.4.4-p3 allows Remote Code Injection via a methodCall XML document with a pfsense.exec_php call containing shell metacharacters in a parameter value.
8 CVE-2019-16293 78 Exec Code 2019-09-13 2019-09-13
6.5
None Remote Low Single system Partial Partial Partial
The Create Discoveries feature of Open-AudIT before 3.2.0 allows an authenticated attacker to execute arbitrary OS commands via a crafted value for a URL field.
9 CVE-2019-16057 78 2019-09-16 2019-09-16
10.0
None Remote Low Not required Complete Complete Complete
The login_mgr.cgi script in D-Link DNS-320 through 2.05.B10 is vulnerable to remote command injection.
10 CVE-2019-15701 78 Exec Code 2019-08-27 2019-08-30
6.8
None Remote Medium Not required Partial Partial Partial
components/Modals/HelpModal.jsx in BloodHound 2.2.0 allows remote attackers to execute arbitrary OS commands (by spawning a child process as the current user on the victim's machine) when the search function's autocomplete feature is used. The victim must import data from an Active Directory with a GPO containing JavaScript in its name.
11 CVE-2019-15503 78 Exec Code 2019-08-26 2019-08-30
10.0
None Remote Low Not required Complete Complete Complete
cgi-cpn/xcoding/prontus_videocut.cgi in AltaVoz Prontus (aka ProntusCMS) through 12.0.3.0 has "Improper Neutralization of Special Elements used in an OS Command," allowing attackers to execute OS commands via an HTTP GET parameter.
12 CVE-2019-15498 78 Exec Code 2019-08-23 2019-08-27
9.3
None Remote Medium Not required Complete Complete Complete
cgi-bin/cmh/webcam.sh in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via --output argument injection in the username parameter to /cgi-bin/cmh/webcam.sh.
13 CVE-2019-15036 78 Exec Code 2019-10-02 2019-10-03
9.0
None Remote Low Single system Complete Complete Complete
An issue was discovered in JetBrains TeamCity 2018.2.4. A TeamCity Project administrator could execute any command on the server machine. The issue was fixed in TeamCity 2018.2.5 and 2019.1.
14 CVE-2019-14699 78 Exec Code 2019-08-06 2019-08-13
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on MicroDigital N-series cameras with firmware through 6400.0.8.5. An attacker can exploit OS Command Injection in the filename parameter for remote code execution as root. This occurs in the Mainproc executable file, which can be run from the HTTPD web server.
15 CVE-2019-14527 78 Exec Code 2019-08-14 2019-08-27
10.0
None Remote Low Not required Complete Complete Complete
An issue was discovered on NETGEAR Nighthawk M1 (MR1100) devices before 12.06.03. System commands can be executed, via the web interface, after authentication.
16 CVE-2019-13638 78 2019-07-26 2019-08-16
9.3
None Remote Medium Not required Complete Complete Complete
GNU patch through 2.7.6 is vulnerable to OS shell command injection that can be exploited by opening a crafted patch file that contains an ed style diff payload with shell metacharacters. The ed editor does not need to be present on the vulnerable system. This is different from CVE-2018-1000156.
17 CVE-2019-13598 78 Exec Code 2019-07-14 2019-07-15
10.0
None Remote Low Not required Complete Complete Complete
LuaUPnP in Vera Edge Home Controller 1.7.4452 allows remote unauthenticated users to execute arbitrary OS commands via the code parameter to /port_3480/data_request because the "No unsafe lua allowed" code block is skipped.
18 CVE-2019-13552 78 Exec Code 2019-09-18 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
In WebAccess versions 8.4.1 and prior, multiple command injection vulnerabilities are caused by a lack of proper validation of user-supplied data and may allow arbitrary file deletion and remote code execution.
19 CVE-2019-13051 78 2019-10-09 2019-10-11
6.8
None Remote Medium Not required Partial Partial Partial
Pi-Hole 4.3 allows Command Injection.
20 CVE-2019-12929 78 DoS Exec Code 2019-06-24 2019-07-02
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** The QMP guest_exec command in QEMU 4.0.0 and earlier is prone to OS command injection, which allows the attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue.
21 CVE-2019-12928 78 DoS Exec Code 2019-06-24 2019-07-02
10.0
None Remote Low Not required Complete Complete Complete
** DISPUTED ** The QMP migrate command in QEMU version 4.0.0 and earlier is vulnerable to OS command injection, which allows the remote attacker to achieve code execution, denial of service, or information disclosure by sending a crafted QMP command to the listening server. Note: This has been disputed as a non-issue since QEMU's -qmp interface is meant to be used by trusted users. If one is able to access this interface via a tcp socket open to the internet, then it is an insecure configuration issue.
22 CVE-2019-12811 78 Exec Code 2019-10-07 2019-10-10
7.5
None Remote Low Not required Partial Partial Partial
ActiveX Control in MyBuilder before 6.2.2019.814 allow an attacker to execute arbitrary command via the ShellOpen method. This can be leveraged for code execution
23 CVE-2019-12739 78 Exec Code 2019-06-05 2019-06-06
6.5
None Remote Low Single system Partial Partial Partial
lib/Controller/ExtractionController.php in the Extract add-on before 1.2.0 for Nextcloud allows Remote Code Execution via shell metacharacters in a RAR filename via ajax/extractRar.php (nameOfFile and directory parameters).
24 CVE-2019-12735 78 Exec Code 2019-06-05 2019-06-13
9.3
None Remote Medium Not required Complete Complete Complete
getchar.c in Vim before 8.1.1365 and Neovim before 0.3.6 allows remote attackers to execute arbitrary OS commands via the :source! command in a modeline, as demonstrated by execute in Vim, and assert_fails or nvim_input in Neovim.
25 CVE-2019-12725 78 Exec Code 2019-07-19 2019-07-22
10.0
None Remote Low Not required Complete Complete Complete
Zeroshell 3.9.0 is prone to a remote command execution vulnerability. Specifically, this issue occurs because the web application mishandles a few HTTP parameters. An unauthenticated attacker can exploit this issue by injecting OS commands inside the vulnerable parameters.
26 CVE-2019-12717 78 Exec Code 2019-09-25 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco NX-OS Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges. The vulnerability is due to insufficient validation of arguments passed to a specific VMAN CLI command on an affected device. An attacker could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the underlying Linux operating system with root privileges, which may lead to complete system compromise. An attacker would need valid administrator credentials to exploit this vulnerability.
27 CVE-2019-12709 78 Exec Code 2019-09-25 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in a CLI command related to the virtualization manager (VMAN) in Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with root privileges. The vulnerability is due to insufficient validation of arguments passed to a specific VMAN CLI command on an affected device. An attacker who has valid administrator access to an affected device could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to run arbitrary commands on the underlying operating system with root privileges, which may lead to complete system compromise.
28 CVE-2019-12690 78 Exec Code 2019-10-02 2019-10-10
9.0
None Remote Low Single system Complete Complete Complete
A vulnerability in the web UI of the Cisco Firepower Management Center (FMC) could allow an authenticated, remote attacker to inject arbitrary commands that are executed with the privileges of the root user of the underlying operating system. The vulnerability is due to insufficient validation of user-supplied input to the web UI. An attacker could exploit this vulnerability by submitting crafted input in the web UI. A successful exploit could allow an attacker to execute arbitrary commands on the device with full root privileges.
29 CVE-2019-12661 78 Exec Code 2019-09-25 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
A vulnerability in a Virtualization Manager (VMAN) related CLI command of Cisco IOS XE Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying Linux operating system with a privilege level of root. The vulnerability is due to insufficient validation of arguments passed to a specific VMAN CLI command on the affected device. An attacker who has administrator access to an affected device could exploit this vulnerability by including malicious input as the argument of an affected command. A successful exploit could allow the attacker to execute arbitrary commands on the device with root privileges, which may lead to complete system compromise.
30 CVE-2019-12651 78 Exec Code 2019-09-25 2019-10-09
9.0
None Remote Low Single system Complete Complete Complete
Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.
31 CVE-2019-12650 78 Exec Code 2019-09-25 2019-10-09
9.0
None Remote Low Single system Complete Complete Complete
Multiple vulnerabilities in the web-based user interface (Web UI) of Cisco IOS XE Software could allow an authenticated, remote attacker to execute commands with elevated privileges on the affected device. For more information about these vulnerabilities, see the Details section of this advisory.
32 CVE-2019-12091 78 Exec Code 2019-09-26 2019-10-09
7.2
None Local Low Not required Complete Complete Complete
The Netskope client service, v57 before 57.2.0.219 and v60 before 60.2.0.214, running with NT\SYSTEM privilege, accepts network connections from localhost. The connection handling function in this service suffers from command injection vulnerability. Local users can use this vulnerability to execute code with NT\SYSTEM privilege.
33 CVE-2019-11829 78 Exec Code 2019-06-30 2019-10-09
7.5
None Remote Low Not required Partial Partial Partial
OS command injection vulnerability in drivers_syno_import_user.php in Synology Calendar before 2.3.1-0617 allows remote attackers to execute arbitrary commands via the crafted 'X-Real-IP' header.
34 CVE-2019-11527 78 2019-10-10 2019-10-15
9.0
None Remote Low Single system Complete Complete Complete
An issue was discovered in Softing uaGate SI 1.60.01. A CGI script is vulnerable to command injection with a maliciously crafted url parameter.
35 CVE-2019-11444 78 Exec Code 2019-04-22 2019-05-09
9.0
None Remote Low Single system Complete Complete Complete
** DISPUTED ** An issue was discovered in Liferay Portal CE 7.1.2 GA3. An attacker can use Liferay's Groovy script console to execute OS commands. Commands can be executed via a [command].execute() call, as demonstrated by "def cmd =" in the ServerAdminPortlet_script value to group/control_panel/manage. Valid credentials for an application administrator user account are required. NOTE: The developer disputes this as a vulnerability since it is a feature for administrators to run groovy scripts and therefore not a design flaw.
36 CVE-2019-11364 78 2019-08-29 2019-09-03
9.0
None Remote Low Single system Complete Complete Complete
An OS Command Injection vulnerability in Snare Central before 7.4.5 allows remote authenticated attackers to inject arbitrary OS commands via the ServerConf/DataManagement/DiskManager.php FORMNAS_share parameter.
37 CVE-2019-11224 78 2019-05-15 2019-05-15
6.5
None Remote Low Single system Partial Partial Partial
HARMAN AMX MVP5150 v2.87.13 devices allow remote OS Command Injection.
38 CVE-2019-11062 78 2019-07-11 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". The target server can be exploited without authentication.
39 CVE-2019-11001 78 2019-04-08 2019-04-09
9.0
None Remote Low Single system Complete Complete Complete
On Reolink RLC-410W, C1 Pro, C2 Pro, RLC-422W, and RLC-511W devices through 1.0.227, an authenticated admin can use the "TestEmail" functionality to inject and run OS commands as root, as demonstrated by shell metacharacters in the addr1 field.
40 CVE-2019-10880 78 Exec Code 2019-04-12 2019-10-09
10.0
None Remote Low Not required Complete Complete Complete
Within multiple XEROX products a vulnerability allows remote command execution on the Linux system, as the "nobody" user through a crafted "HTTP" request (OS Command Injection vulnerability in the HTTP interface). Depending upon configuration authentication may not be necessary.
41 CVE-2019-10392 78 2019-09-12 2019-10-09
6.5
None Remote Low Single system Partial Partial Partial
Jenkins Git Client Plugin 2.8.4 and earlier and 3.0.0-rc did not properly restrict values passed as URL argument to an invocation of 'git ls-remote', resulting in OS command injection.
42 CVE-2019-10048 78 Exec Code 2019-05-31 2019-06-03
9.0
None Remote Low Single system Complete Complete Complete
The ImageMagick plugin that is installed by default in Pydio through 8.2.2 does not perform the appropriate validation and sanitization of user supplied input in the plugin's configuration options, allowing arbitrary shell commands to be entered that result in command execution on the underlying operating system, with the privileges of the local user running the web server. The attacker must be authenticated into the application with an administrator user account in order to be able to edit the affected plugin configuration.
43 CVE-2019-9804 78 Exec Code 2019-04-26 2019-04-30
7.5
None Remote Low Not required Partial Partial Partial
In Firefox Developer Tools it is possible that pasting the result of the 'Copy as cURL' command into a command shell on macOS will cause the execution of unintended additional bash script commands if the URL was maliciously crafted. This is the result of an issue with the native version of Bash on macOS. *Note: This issue only affects macOS. Other operating systems are unaffected.*. This vulnerability affects Firefox < 66.
44 CVE-2019-9193 78 Exec Code 2019-04-01 2019-10-10
9.0
None Remote Low Single system Complete Complete Complete
** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ?COPY TO/FROM PROGRAM? is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ?COPY FROM PROGRAM?.
45 CVE-2019-9156 78 2019-06-05 2019-06-06
5.2
None Local Network Low Single system Partial Partial Partial
Gemalto DS3 Authentication Server 2.6.1-SP01 allows OS Command Injection.
46 CVE-2019-7269 78 Exec Code 2019-07-02 2019-07-05
10.0
None Remote Low Not required Complete Complete Complete
Linear eMerge 50P/5000P devices allow Authenticated Command Injection with root Code Execution.
47 CVE-2019-5485 78 2019-09-13 2019-09-25
10.0
None Remote Low Not required Complete Complete Complete
NPM package gitlabhook version 0.0.17 is vulnerable to a Command Injection vulnerability. Arbitrary commands can be injected through the repository name.
48 CVE-2019-5475 78 Exec Code 2019-09-03 2019-10-09
9.0
None Remote Low Single system Complete Complete Complete
The Nexus Yum Repository Plugin in v2 is vulnerable to Remote Code Execution when instances using CommandLineExecutor.java are supplied vulnerable data, such as the Yum Configuration Capability.
49 CVE-2019-5441 78 2019-06-07 2019-06-11
9.0
None Remote Low Single system Complete Complete Complete
An OS Command Injection has been discovered in the Nextcloud App: Extract prior to version 1.2.0.
50 CVE-2019-5414 78 2019-03-21 2019-10-09
9.3
None Remote Medium Not required Complete Complete Complete
If an attacker can control the port, which in itself is a very sensitive value, they can inject arbitrary OS commands due to the usage of the exec function in a third-party module kill-port < 1.3.2.
Total number of vulnerabilities : 788   Page : 1 (This Page)2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site. OVAL is a registered trademark of The MITRE Corporation and the authoritative source of OVAL content is MITRE's OVAL web site.
Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.