Vulnerabilities > Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-11-27 | CVE-2017-16957 | OS Command Injection vulnerability in Tp-Link products TP-Link TL-WVR, TL-WAR, TL-ER, and TL-R devices allow remote authenticated users to execute arbitrary commands via shell metacharacters in the iface field of an admin/diagnostic command to cgi-bin/luci, related to the zone_get_effect_devices function in /usr/lib/lua/luci/controller/admin/diagnostic.lua in uhttpd. | 8.8 |
| 2017-11-24 | CVE-2017-16934 | OS Command Injection vulnerability in Dbltek web Server The web server on DBL DBLTek devices allows remote attackers to execute arbitrary OS commands by obtaining the admin password via a frame.html?content=/dev/mtdblock/5 request, and then using this password for the HTTP Basic Authentication needed for a change_password.csp request, which supports a "<%%25call system.exec:" string in the passwd parameter. | 9.8 |
| 2017-11-22 | CVE-2017-16926 | OS Command Injection vulnerability in Ohcount Project Ohcount 3.0.0 Ohcount 3.0.0 is prone to a command injection via specially crafted filenames containing shell metacharacters, which can be exploited by an attacker (providing a source tree for Ohcount processing) to execute arbitrary code as the user running Ohcount. | 9.8 |
| 2017-11-21 | CVE-2017-16923 | OS Command Injection vulnerability in Tenda Ac15 Firmware, Ac18 Firmware and AC9 Firmware Command Injection vulnerability in app_data_center on Shenzhen Tenda Ac9 US_AC9V1.0BR_V15.03.05.14_multi_TD01, Ac9 ac9_kf_V15.03.05.19(6318_)_cn, Ac15 US_AC15V1.0BR_V15.03.05.18_multi_TD01, Ac15 US_AC15V1.0BR_V15.03.05.19_multi_TD01, Ac18 US_AC18V1.0BR_V15.03.05.05_multi_TD01, and Ac18 ac18_kf_V15.03.05.19(6318_)_cn devices allows remote unauthenticated attackers to execute arbitrary OS commands via a crafted cgi-bin/luci/usbeject?dev_name= GET request from the LAN. | 8.8 |
| 2017-11-17 | CVE-2017-1000215 | OS Command Injection vulnerability in Xrootd 4.6.0 ROOT xrootd version 4.6.0 and below is vulnerable to an unauthenticated shell command injection resulting in remote code execution | 9.8 |
| 2017-11-17 | CVE-2017-1000203 | OS Command Injection vulnerability in Cern Root ROOT version 6.9.03 and below is vulnerable to an authenticated shell metacharacter injection in the rootd daemon resulting in remote code execution | 8.8 |
| 2017-11-17 | CVE-2017-1000235 | OS Command Injection vulnerability in I-Librarian I Librarian I, Librarian version <=4.6 & 4.7 is vulnerable to OS Command Injection in batchimport.php resulting the web server being fully compromised. | 9.8 |
| 2017-11-17 | CVE-2017-1000220 | OS Command Injection vulnerability in Pidusage Project Pidusage soyuka/pidusage <=1.1.4 is vulnerable to command injection in the module resulting in arbitrary command execution | 9.8 |
| 2017-11-17 | CVE-2017-1000219 | OS Command Injection vulnerability in Windows-Cpu Project Windows-Cpu 0.1.1/0.1.2 npm/KyleRoss windows-cpu all versions vulnerable to command injection resulting in code execution as Node.js user | 9.8 |
| 2017-11-16 | CVE-2017-12305 | OS Command Injection vulnerability in Cisco IP Phone 8800 Series Firmware A vulnerability in the debug interface of Cisco IP Phone 8800 series could allow an authenticated, local attacker to execute arbitrary commands, aka Debug Shell Command Injection. | 6.7 |