Vulnerabilities > Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2018-09-28 | CVE-2018-9076 | OS Command Injection vulnerability in Lenovo Lenovoemc Firmware 4.1.402.34662 For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when changing the name of a share, an attacker can craft a command injection payload using backtick "``" characters in the name parameter. | 8.1 |
| 2018-09-28 | CVE-2018-9075 | OS Command Injection vulnerability in Lenovo Lenovoemc Firmware 4.1.402.34662 For some Iomega, Lenovo, LenovoEMC NAS devices versions 4.1.402.34662 and earlier, when joining a PersonalCloud setup, an attacker can craft a command injection payload using backtick "``" characters in the client:password parameter. | 8.1 |
| 2018-09-26 | CVE-2018-16055 | OS Command Injection vulnerability in Netgate Pfsense An authenticated command injection vulnerability exists in status_interfaces.php via dhcp_relinquish_lease() in pfSense before 2.4.4 due to its passing user input from the $_POST parameters "ifdescr" and "ipv" to a shell without escaping the contents of the variables. | 8.8 |
| 2018-09-21 | CVE-2018-17317 | OS Command Injection vulnerability in Fruitywifi Project Fruitywifi 2.1 FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /www/script/config_iface.php, or the newSSID, hostapd_secure, hostapd_wpa_passphrase, or supplicant_ssid parameter to /www/page_config.php. | 9.8 |
| 2018-09-20 | CVE-2018-16282 | OS Command Injection vulnerability in Moxa Edr-810 Firmware 4.2 A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI. | 8.8 |
| 2018-09-19 | CVE-2018-17228 | OS Command Injection vulnerability in Nmap4J Project Nmap4J 1.1.0 nmap4j 1.1.0 allows attackers to execute arbitrary commands via shell metacharacters in an includeHosts call. | 9.8 |
| 2018-09-19 | CVE-2017-2873 | OS Command Injection vulnerability in Foscam C1 Firmware 2.52.2.43 An exploitable command injection vulnerability exists in the web management interface used by the Foscam C1 Indoor HD Camera running application firmware 2.52.2.43. | 7.2 |
| 2018-09-19 | CVE-2018-17208 | OS Command Injection vulnerability in Linksys Velop Firmware 1.1.2.187020 Linksys Velop 1.1.2.187020 devices allow unauthenticated command injection, providing an attacker with full root access, via cgi-bin/zbtest.cgi or cgi-bin/zbtest2.cgi (scripts that can be discovered with binwalk on the firmware, but are not visible in the web interface). | 8.8 |
| 2018-09-15 | CVE-2018-17068 | OS Command Injection vulnerability in Dlink Dir-816 A2 Firmware 1.10B05 An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. | 9.8 |
| 2018-09-15 | CVE-2018-17066 | OS Command Injection vulnerability in Dlink Dir-816 A2 Firmware 1.10B05 An issue was discovered on D-Link DIR-816 A2 1.10 B05 devices. | 9.8 |