Vulnerabilities > Improper Neutralization of Special Elements used in a Command ('Command Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2015-01-04 | CVE-2014-9277 | Command Injection vulnerability in Mediawiki The wfMangleFlashPolicy function in OutputHandler.php in MediaWiki before 1.19.22, 1.20.x through 1.22.x before 1.22.14, and 1.23.x before 1.23.7 allows remote attackers to conduct PHP object injection attacks via a crafted string containing <cross-domain-policy> in a PHP format request, which causes the string length to change when converting the request to <NOT-cross-domain-policy>. | 7.5 |
| 2015-01-02 | CVE-2013-7418 | Command Injection vulnerability in Ipcop 2.1.2/2.1.4 cgi-bin/iptablesgui.cgi in IPCop (aka IPCop Firewall) before 2.1.5 allows remote authenticated users to execute arbitrary code via shell metacharacters in the TABLE parameter. | 6.5 |
| 2014-12-29 | CVE-2014-3556 | Command Injection vulnerability in F5 Nginx The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. | 6.8 |
| 2014-12-29 | CVE-2014-1905 | Command Injection vulnerability in Videowhisper Live Streaming Integration Unrestricted file upload vulnerability in ls/vw_snapshots.php in the VideoWhisper Live Streaming Integration plugin before 4.29.5 for WordPress allows remote attackers to execute arbitrary PHP code by uploading a file with a double extension, and then accessing the file via a direct request to a wp-content/plugins/videowhisper-live-streaming-integration/ls/snapshots/ pathname, as demonstrated by a .php.jpg filename. | 10.0 |
| 2014-12-28 | CVE-2013-4663 | Command Injection vulnerability in Redmine GIT Hosting Plugin git_http_controller.rb in the redmine_git_hosting plugin for Redmine allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the service parameter to info/refs, related to the get_info_refs function or (2) the reqfile argument to the file_exists function. | 7.5 |
| 2014-12-19 | CVE-2014-7208 | Command Injection vulnerability in Gparted GParted before 0.15.0 allows local users to execute arbitrary commands with root privileges via shell metacharacters in a crafted filesystem label. | 7.2 |
| 2014-12-17 | CVE-2014-7285 | Command Injection vulnerability in Symantec web Gateway The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts. | 6.5 |
| 2014-12-15 | CVE-2014-6260 | Command Injection vulnerability in Zenoss Core Zenoss Core through 5 Beta 3 does not require a password for modifying the pager command string, which allows remote attackers to execute arbitrary commands or cause a denial of service (paging outage) by leveraging an unattended workstation, aka ZEN-15412. | 6.8 |
| 2014-12-12 | CVE-2014-8515 | Command Injection vulnerability in Bittorrent The web interface in BitTorrent allows remote attackers to execute arbitrary commands by leveraging knowledge of the pairing values and a crafted request to port 10000. | 6.8 |
| 2014-12-08 | CVE-2013-2810 | Command Injection vulnerability in Emerson products Emerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to execute arbitrary commands via a TCP replay attack. | 10.0 |