Vulnerabilities > Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-01-09 | CVE-2017-18025 | OS Command Injection vulnerability in Innotube Itguard Manager 0.0.0.1 cgi-bin/drknow.cgi in Innotube ITGuard-Manager 0.0.0.1 allows remote attackers to execute arbitrary OS commands via shell metacharacters in the username field, as demonstrated by a username beginning with "admin|" to use the '|' metacharacter. | 9.8 |
| 2018-01-05 | CVE-2017-16666 | OS Command Injection vulnerability in Xplico Xplico before 1.2.1 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the name of an uploaded PCAP file. | 8.8 |
| 2018-01-03 | CVE-2017-1000487 | OS Command Injection vulnerability in multiple products Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings. | 9.8 |
| 2018-01-03 | CVE-2017-1000473 | OS Command Injection vulnerability in Linux-Dash Project Linux-Dash Linux Dash up to version v2 is vulnerable to multiple command injection vulnerabilities in the way module names are parsed and then executed resulting in code execution on the server, potentially as root. | 7.8 |
| 2017-12-28 | CVE-2014-8389 | OS Command Injection vulnerability in Airlive products cgi-bin/mft/wireless_mft.cgi in AirLive BU-2015 with firmware 1.03.18 16.06.2014, AirLive BU-3026 with firmware 1.43 21.08.2014, AirLive MD-3025 with firmware 1.81 21.08.2014, AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011, and AirLive POE-200CAM v2 with firmware LM.1.6.17.01 uses hard-coded credentials in the embedded Boa web server, which allows remote attackers to obtain user credentials via crafted HTTP requests. | 9.8 |
| 2017-12-27 | CVE-2017-17888 | OS Command Injection vulnerability in Hoytech Antiweb cgi-bin/write.cgi in Anti-Web through 3.8.7, as used on NetBiter / HMS, Ouman EH-net, Alliance System WS100 --> AWU 500, Sauter ERW100F001, Carlo Gavazzi SIU-DLG, AEDILIS SMART-1, SYXTHSENSE WebBiter, ABB SREA, and ASCON DY WebServer devices, allows remote authenticated users to execute arbitrary OS commands via crafted multipart/form-data content, a different vulnerability than CVE-2017-9097. | 8.8 |
| 2017-12-21 | CVE-2017-17411 | OS Command Injection vulnerability in Linksys Wvbr0 Firmware This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Linksys WVBR0. | 9.8 |
| 2017-12-20 | CVE-2017-5255 | OS Command Injection vulnerability in Cambiumnetworks Epmp 1000 Firmware and Epmp 2000 Firmware In version 3.5 and prior of Cambium Networks ePMP firmware, a lack of input sanitation for certain parameters on the web management console allows any authenticated user (including the otherwise low-privilege readonly user) to inject shell meta-characters as part of a specially-crafted POST request to the get_chart function and run OS-level commands, effectively as root. | 8.8 |
| 2017-12-19 | CVE-2017-15049 | OS Command Injection vulnerability in Zoom The ZoomLauncher binary in the Zoom client for Linux before 2.0.115900.1201 does not properly sanitize user input when constructing a shell command, which allows remote attackers to execute arbitrary code by leveraging the zoommtg:// scheme handler. | 8.8 |
| 2017-12-19 | CVE-2017-17758 | OS Command Injection vulnerability in Tp-Link products TP-Link TL-WVR and TL-WAR devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the interface field of an admin/dhcps command to cgi-bin/luci, related to the zone_get_iface_bydev function in /usr/lib/lua/luci/controller/admin/dhcps.lua in uhttpd. | 8.8 |