get-git-data through 1.3.1 is vulnerable to Command Injection. It is possible to inject arbitrary commands as part of the arguments provided to get-git-data.
apiconnect-cli-plugins through 6.0.1 is vulnerable to Command Injection.It allows execution of arbitrary commands via the pluginUri argument.
All versions of chrome-launcher allow execution of arbitrary commands, by controlling the $HOME environment variable in Linux operating systems.
pomelo-monitor through 0.3.7 is vulnerable to Command Injection.It allows injection of arbitrary commands as part of 'pomelo-monitor' params.
This affects the package connection-tester before 0.2.1. The injection point is located in line 15 in index.js. The following PoC demonstrates the vulnerability:
effect through 1.0.4 is vulnerable to Command Injection. It allows execution of arbitrary command via the options argument.
diskusage-ng through 0.2.4 is vulnerable to Command Injection.It allows execution of arbitrary commands via the path argument.
pixl-class prior to 1.0.3 allows execution of arbitrary commands. The members argument of the create function can be controlled by users without any sanitization.
A command injection vulnerability in the `devcert` module may lead to remote code execution when users of the module pass untrusted input to the `certificateFor` function.
node-mpv through 1.4.3 is vulnerable to Command Injection. It allows execution of arbitrary commands via the options argument.
This affects all versions of package spritesheet-js. It depends on a vulnerable package platform-command. The injection point is located in line 32 in lib/generator.js, which is triggered by main entry of the package.
This affects all versions of package buns. The injection point is located in line 678 in index file lib/index.js in the exported function install(requestedModule).
npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function directly.
op-browser through 1.0.6 is vulnerable to Command Injection. It allows execution of arbitrary commands via the url function.
This affects all versions of package freediskspace. The vulnerability arises out of improper neutralization of arguments in line 71 of freediskspace.js.
node-key-sender through 1.0.11 is vulnerable to Command Injection. It allows execution of arbitrary commands via the 'arrParams' argument in the 'execute()' function.
System command injection in formDlna in TOTOLINK A3002RU version 1.0.8 allows attackers to execute system commands via the "sambaUser" POST parameter.
This affects all versions of package macfromip. The injection point is located in line 66 in macfromip.js.
A vulnerability exists that could allow the execution of operating system commands on systems running MiPlatform 2019.05.16 and earlier. An attacker could execute arbitrary remote command by sending parameters to WinExec function in ExtCommandApi.dll module of MiPlatform.
The pwrstudio web application of EV Charger (in the server in Circontrol Raption through 5.6.2) is vulnerable to OS command injection via three fields of the configuration menu for ntpserver0, ntpserver1, and pingip.
closure-compiler-stream through 0.1.15 allows execution of arbitrary commands. The argument "options" of the exports function in "index.js" can be controlled by users without any sanitization.
OS command injection in the AP mode settings feature in /cgi-bin/luci /api/misystem/set_router_wifiap on Xiaomi R3D before 2.26.4 devices allows an attacker to execute any command via crafted JSON data.
This affects all versions of package node-ps. The injection point is located in line 72 in lib/index.js.
An issue was discovered on KT Slim egg IML500 (R7283, R8112, R8424) and IML520 (R8112, R8368, R8411) wifi device. This issue is a command injection allowing attackers to execute arbitrary OS commands.
The package bestzip before 2.1.7 are vulnerable to Command Injection via the options param.
adb-driver through 0.1.8 is vulnerable to Command Injection.It allows execution of arbitrary commands via the command function.
Insufficient input validation in npm package `jison` <= 0.4.18 may lead to OS command injection attacks.
curlrequest through 1.0.1 allows reading any file by populating the file parameter with user input.
We have recently released new version of AirMax AirOS firmware v6.3.0 for TI, XW and XM boards that fixes vulnerabilities found on AirMax AirOS v6.2.0 and prior TI, XW and XM boards, according to the description below:There are certain end-points containing functionalities that are vulnerable to command injection. It is possible to craft an input string that passes the filter check but still contains commands, resulting in remote code execution.Mitigation:Update to the latest AirMax AirOS firmware version available at the AirMax download page.
karma-mojo through 1.0.1 is vulnerable to Command Injection. It allows execution of arbitrary commands via the config argument.
docker-compose-remote-api through 0.1.4 allows execution of arbitrary commands. Within 'index.js' of the package, the function 'exec(serviceName, cmd, fnStdout, fnStderr, fnExit)' uses the variable 'serviceName' which can be controlled by users without any sanitization.
This issue was discovered when the ipTIME C200 IP Camera was synchronized with the ipTIME NAS. It is necessary to extract value for ipTIME IP camera because the ipTIME NAS send ans setCookie('[COOKIE]') . The value is transferred to the --header option in wget binary, and there is no validation check. This vulnerability allows remote attackers to execute remote command.
git-add-remote through 1.0.0 is vulnerable to Command Injection. It allows execution of arbitrary commands via the name argument.
In BIG-IQ 6.0.0-7.0.0, a remote access vulnerability has been discovered that may allow a remote user to execute shell commands on affected systems using HTTP requests to the BIG-IQ user interface.
An issue was discovered on certain ABUS TVIP cameras. The CGI scripts allow remote attackers to execute code via system() as root. There are several injection points in various scripts.
A remote code execution issue was discovered in HashBrown CMS through 1.3.3. Server/Entity/Deployer/GitDeployer.js has a Service.AppService.exec call that mishandles the URL, repository, username, and password.
D-Link DCH-M225 1.05b01 and earlier devices allow remote attackers to execute arbitrary OS commands via shell metacharacters in the spotifyConnect.php userName parameter.
languageOptions.php in Rasilient PixelStor 5000 K:4.0.1580-20150629 (KDI Version) allows unauthenticated attackers to remotely execute code via the lang parameter.
acccheck.pl in acccheck 0.2.1 allows Command Injection via shell metacharacters in a username or password file, as demonstrated by injection into an smbclient command line.
Schmid ZI 620 V400 VPN 090 routers allow an attacker to execute OS commands as root via shell metacharacters to an entry on the SSH subcommand menu, as demonstrated by ping.
The web-management application on Seagate Central NAS STCG2000300, STCG3000300, and STCG4000300 devices allows OS command injection via mv_backend_launch in cirrus/application/helpers/mv_backend_helper.php by leveraging the "start" state and sending a check_device_name request.
SV3C L-SERIES HD CAMERA V2.3.4.2103-S50-NTD-B20170508B and V2.3.4.2103-S50-NTD-B20170823B devices allow OS Command Injection.
The Data Protection extension in the VMware GUI in IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (aka Spectrum Protect for Virtual Environments) 7.1 before 7.1.3.0 and Tivoli Storage FlashCopy Manager for VMware (aka Spectrum Protect Snapshot) 4.1 before 4.1.3.0 allows remote attackers to execute arbitrary OS commands via unspecified vectors.
VTech Storio Max before 56.D3JM6 allows remote command execution via shell metacharacters in an Android activity name. It exposes the storeintenttranslate.x service on port 1668 listening for requests on localhost. Requests submitted to this service are checked for a string of random characters followed by the name of an Android activity to start. Activities are started by inserting their name into a string that is executed in a shell command. By inserting metacharacters this can be exploited to run arbitrary commands as root. The requests also match those of the HTTP protocol and can be triggered on any web page rendered on the device by requesting resources stored at an http://127.0.0.1:1668/ URI, as demonstrated by the http://127.0.0.1:1668/dacdb70556479813fab2d92896596eef?';{ping,example.org}' URL.
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via HTTP. An authenticated remote attacker can bypass command injection mitigations and execute commands as the root user by sending a crafted HTTP POST to the UCM's "New" HTTPS API.
Grandstream UCM6200 series firmware version 1.0.20.23 and below is vulnerable to OS command injection via SSH. An authenticated remote attacker can execute commands as the root user by issuing a specially crafted "unset" command.
UNIVERGE SV9500 series from V1 to V7and SV8500 series from S6 to S8 allows an attacker to execute arbitrary OS commands or cause a denial-of-service (DoS) condition by sending a specially crafted request to a specific URL.
In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the `npm` command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta
A command injection vulnerability in libnmapp package for versions <0.4.16 allows arbitrary commands to be executed via arguments to the range options.
A command injection vulnerability in the apex-publish-static-files npm module version <2.0.1 which allows arbitrary shell command execution through a maliciously crafted argument.