Common Weakness Enumeration

CWE-77

Allowed-with-Review

Improper Neutralization of Special Elements used in a Command ('Command Injection')

Abstraction: Class · Status: Draft

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

5386 vulnerabilities reference this CWE, most recent first.

GHSA-6XVJ-HFC5-C4V6

Vulnerability from github – Published: 2022-05-24 17:16 – Updated: 2022-10-27 19:00
VLAI
Details

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2019-16011"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-04-29T21:15:00Z",
    "severity": "HIGH"
  },
  "details": "A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by authenticating to the device and submitting crafted input to the CLI utility. The attacker must be authenticated to access the CLI utility. A successful exploit could allow the attacker to execute commands with root privileges.",
  "id": "GHSA-6xvj-hfc5-c4v6",
  "modified": "2022-10-27T19:00:32Z",
  "published": "2022-05-24T17:16:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16011"
    },
    {
      "type": "WEB",
      "url": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-xesdwcinj-AcQ5MxCn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6XVQ-PJQR-R3X2

Vulnerability from github – Published: 2022-05-17 04:04 – Updated: 2022-05-17 04:04
VLAI
Details

SolarWinds Log and Event Manager (LEM) allows remote attackers to execute arbitrary commands on managed computers via a request to services/messagebroker/nonsecurestreamingamf involving the traceroute functionality.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-7839"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2015-10-15T20:59:00Z",
    "severity": "HIGH"
  },
  "details": "SolarWinds Log and Event Manager (LEM) allows remote attackers to execute arbitrary commands on managed computers via a request to services/messagebroker/nonsecurestreamingamf involving the traceroute functionality.",
  "id": "GHSA-6xvq-pjqr-r3x2",
  "modified": "2022-05-17T04:04:43Z",
  "published": "2022-05-17T04:04:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7839"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-15-461"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-6XX3-64JX-CVCX

Vulnerability from github – Published: 2025-11-20 18:31 – Updated: 2025-11-21 00:30
VLAI
Details

An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-60738"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-20T16:15:58Z",
    "severity": "HIGH"
  },
  "details": "An issue in Ilevia EVE X1 Server Firmware Version v4.7.18.0.eden and before Logic Version v6.00 - 2025_07_21 and before allows a remote attacker to execute arbitrary code via the ping.php component does not perform secure filtering on IP parameters",
  "id": "GHSA-6xx3-64jx-cvcx",
  "modified": "2025-11-21T00:30:21Z",
  "published": "2025-11-20T18:31:01Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60738"
    },
    {
      "type": "WEB",
      "url": "https://github.com/iSee857/ilevia-EVE-X1-Server"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6XXQ-J39W-G3F6

Vulnerability from github – Published: 2022-05-14 00:56 – Updated: 2024-01-12 16:30
VLAI
Summary
Puppet Arbitrary Command Execution
Details

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puppet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.6.0"
            },
            {
              "fixed": "2.6.15"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puppet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.7.0"
            },
            {
              "fixed": "2.7.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2012-1988"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-12T16:30:38Z",
    "nvd_published_at": "2012-05-29T20:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.",
  "id": "GHSA-6xxq-j39w-g3f6",
  "modified": "2024-01-12T16:30:38Z",
  "published": "2022-05-14T00:56:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-1988"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puppetlabs/puppet/commit/0d6d29933e613fe177e9235415919a5428db67bc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puppetlabs/puppet/commit/568ded50ec6cc498ad32ff7f086d9f73b5d24c14"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121031092646/http://www.securityfocus.com/bid/52975"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121025194830/http://secunia.com/advisories/49136"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121025113446/http://secunia.com/advisories/48748"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121025112409/http://secunia.com/advisories/48789"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20121013181707/http://puppetlabs.com/security/cve/cve-2012-1988"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20120513213112/http://projects.puppetlabs.com/issues/13518"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975"
    },
    {
      "type": "WEB",
      "url": "https://hermes.opensuse.org/messages/15087408"
    },
    {
      "type": "WEB",
      "url": "https://hermes.opensuse.org/messages/14523305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puppet/CVE-2012-1988.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puppetlabs/puppet"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74796"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079227.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-April/079289.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080003.html"
    },
    {
      "type": "WEB",
      "url": "http://projects.puppetlabs.com/issues/13518"
    },
    {
      "type": "WEB",
      "url": "http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.15"
    },
    {
      "type": "WEB",
      "url": "http://puppetlabs.com/security/cve/cve-2012-1988"
    },
    {
      "type": "WEB",
      "url": "http://ubuntu.com/usn/usn-1419-1"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2012/dsa-2451"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Puppet Arbitrary Command Execution"
}

GHSA-723Q-4X66-VRF2

Vulnerability from github – Published: 2024-08-23 18:33 – Updated: 2024-08-23 21:30
VLAI
Details

D-Link DI_8004W 16.07.26A1 contains a command execution vulnerability in jhttpd msp_info_htm function.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44381"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-23T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "D-Link DI_8004W 16.07.26A1 contains a command execution vulnerability in jhttpd msp_info_htm function.",
  "id": "GHSA-723q-4x66-vrf2",
  "modified": "2024-08-23T21:30:42Z",
  "published": "2024-08-23T18:33:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44381"
    },
    {
      "type": "WEB",
      "url": "https://github.com/GroundCTL2MajorTom/pocs/blob/main/dlink_DI8004W.md"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-726G-59WR-CJ4C

Vulnerability from github – Published: 2026-03-09 16:56 – Updated: 2026-03-10 18:39
VLAI
Summary
@budibase/server: Command Injection in PostgreSQL Dump Command
Details

Location: packages/server/src/integrations/postgres.ts:529-531

Description

The PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.

Code Reference

``529:531:packages/server/src/integrations/postgres.ts const dumpCommand =PGPASSWORD="${ this.config.password }" pg_dump --schema-only "${dumpCommandParts.join(" ")}"`


#### Attack Vector
An attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:
- Password: `password"; malicious-command; echo "`
- Database name: `db"; rm -rf /; echo "`

#### Impact
- Remote code execution
- System compromise
- Data exfiltration

#### Recommendation
1. Use environment variables for sensitive values instead of command-line arguments
2. Validate and sanitize all configuration values
3. Use proper escaping for shell arguments
4. Consider using a PostgreSQL library's native dump functionality instead of shell commands

#### Example Fix
```typescript
import { execFile } from "child_process"
import { promisify } from "util"
const execFileAsync = promisify(execFile)

// Use execFile with proper argument handling
const env = {
  ...process.env,
  PGPASSWORD: this.config.password
}

const args = [
  "--schema-only",
  "--host", this.config.host,
  "--port", this.config.port.toString(),
  "--username", this.config.user,
  "--dbname", this.config.database
]

try {
  const { stdout } = await execFileAsync("pg_dump", args, { env })
  return stdout
} catch (error) {
  // Handle error
}
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@budibase/server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.23.32"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-25041"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-09T16:56:26Z",
    "nvd_published_at": "2026-03-09T20:16:07Z",
    "severity": "HIGH"
  },
  "details": "**Location**: `packages/server/src/integrations/postgres.ts:529-531`  \n\n#### Description\nThe PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command.\n\n#### Code Reference\n```529:531:packages/server/src/integrations/postgres.ts\n    const dumpCommand = `PGPASSWORD=\"${\n      this.config.password\n    }\" pg_dump --schema-only \"${dumpCommandParts.join(\" \")}\"`\n```\n\n#### Attack Vector\nAn attacker who can control database configuration values (e.g., through compromised credentials or configuration injection) can inject shell commands. For example:\n- Password: `password\"; malicious-command; echo \"`\n- Database name: `db\"; rm -rf /; echo \"`\n\n#### Impact\n- Remote code execution\n- System compromise\n- Data exfiltration\n\n#### Recommendation\n1. Use environment variables for sensitive values instead of command-line arguments\n2. Validate and sanitize all configuration values\n3. Use proper escaping for shell arguments\n4. Consider using a PostgreSQL library\u0027s native dump functionality instead of shell commands\n\n#### Example Fix\n```typescript\nimport { execFile } from \"child_process\"\nimport { promisify } from \"util\"\nconst execFileAsync = promisify(execFile)\n\n// Use execFile with proper argument handling\nconst env = {\n  ...process.env,\n  PGPASSWORD: this.config.password\n}\n\nconst args = [\n  \"--schema-only\",\n  \"--host\", this.config.host,\n  \"--port\", this.config.port.toString(),\n  \"--username\", this.config.user,\n  \"--dbname\", this.config.database\n]\n\ntry {\n  const { stdout } = await execFileAsync(\"pg_dump\", args, { env })\n  return stdout\n} catch (error) {\n  // Handle error\n}\n```",
  "id": "GHSA-726g-59wr-cj4c",
  "modified": "2026-03-10T18:39:09Z",
  "published": "2026-03-09T16:56:26Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-726g-59wr-cj4c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25041"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/commit/9fdbff32fb9e69650ba899a799e13f80d9b09e93"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Budibase/budibase"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Budibase/budibase/blob/f34d545602a7c94427bae63312a5ee9bf2aa6c85/packages/server/src/integrations/postgres.ts#L529-L531"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "@budibase/server: Command Injection in PostgreSQL Dump Command"
}

GHSA-726X-RVQX-M6J6

Vulnerability from github – Published: 2024-09-09 18:30 – Updated: 2024-09-09 21:31
VLAI
Details

D-Link DI-7003G v19.12.24A1, DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution (RCE) via version_upgrade.asp.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-44335"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-09-09T18:15:03Z",
    "severity": "HIGH"
  },
  "details": "D-Link DI-7003G v19.12.24A1, DI-7003GV2 v24.04.18D1, DI-7100G+V2 v24.04.18D1, DI-7100GV2 v24.04.18D1, DI-7200GV2 v24.04.18E1, DI-7300G+V2 v24.04.18D1, and DI-7400G+V2 v24.04.18D1 are vulnerable to Remote Command Execution (RCE) via version_upgrade.asp.",
  "id": "GHSA-726x-rvqx-m6j6",
  "modified": "2024-09-09T21:31:22Z",
  "published": "2024-09-09T18:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44335"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/Swind1er/029fb2a9dab916f926fab40cc059223f"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72JX-RHG9-XGFW

Vulnerability from github – Published: 2025-07-22 21:31 – Updated: 2025-07-22 21:31
VLAI
Details

Code Injection in AgentTemplate.eval_agent_config in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to execute arbitrary Python code via malicious values in agent template configurations such as the goal, constraints, or instruction field, which are evaluated using eval() without validation during template loading or updates.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-51472"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-07-22T20:15:25Z",
    "severity": "MODERATE"
  },
  "details": "Code Injection in AgentTemplate.eval_agent_config in TransformerOptimus SuperAGI 0.0.14 allows remote attackers to execute arbitrary Python code via malicious values in agent template configurations such as the goal, constraints, or instruction field, which are evaluated using eval() without validation during template loading or updates.",
  "id": "GHSA-72jx-rhg9-xgfw",
  "modified": "2025-07-22T21:31:15Z",
  "published": "2025-07-22T21:31:15Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51472"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TransformerOptimus/SuperAGI/pull/1461"
    },
    {
      "type": "WEB",
      "url": "https://github.com/TransformerOptimus/SuperAGI"
    },
    {
      "type": "WEB",
      "url": "https://www.gecko.security/blog/cve-2025-51472"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-72M3-3P32-PW2Q

Vulnerability from github – Published: 2022-01-19 00:01 – Updated: 2022-01-25 00:02
VLAI
Details

China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-33964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-01-18T12:15:00Z",
    "severity": "HIGH"
  },
  "details": "China Mobile An Lianbao WF-1 V1.0.1 router provides a web interface /api/ZRRuleFilter/set_firewall_level which receives parameters by POST request, and the parameter firewall_level has a command injection vulnerability. An attacker can use the vulnerability to execute remote commands.",
  "id": "GHSA-72m3-3p32-pw2q",
  "modified": "2022-01-25T00:02:35Z",
  "published": "2022-01-19T00:01:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33964"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pokerfacett/MY_CVE_CREDIT/blob/master/China%20Mobile%20An%20Lianbao%20WF-1%20router%20Command%20Injection11.md"
    },
    {
      "type": "WEB",
      "url": "https://www.cnvd.org.cn/flaw/show/CNVD-2021-03520"
    },
    {
      "type": "WEB",
      "url": "https://www.ebuy7.com/item/china-mobile-wireless-router-qualcomm-qiki-wifi6-routing-mesh-network-home-5g-dual-frequency-double-gigabit-port-wall-wall-high-speed-%E2%80%8B%E2%80%8Bhigh-power-enhanced-dormitory-students-an-lianbao-wf-1-628692180620"
    },
    {
      "type": "WEB",
      "url": "http://iot.10086.cn/?l=en-us"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-72V3-RGJM-MJ6F

Vulnerability from github – Published: 2024-11-13 00:30 – Updated: 2024-11-16 00:31
VLAI
Details

Sercomm Router Etisalat Model S3- AC2100 is affected by Incorrect Access Control via the diagnostic utility in the router dashboard.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-27702"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-12T23:15:03Z",
    "severity": "HIGH"
  },
  "details": "Sercomm Router Etisalat Model S3- AC2100 is affected by Incorrect Access Control via the diagnostic utility in the router dashboard.",
  "id": "GHSA-72v3-rgjm-mj6f",
  "modified": "2024-11-16T00:31:50Z",
  "published": "2024-11-13T00:30:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-27702"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Mrnmap/mrnmap-cve/blob/main/CVE-2021-27702"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

If at all possible, use library calls rather than external processes to recreate the desired functionality.

Mitigation
Implementation

If possible, ensure that all external commands called from the program are statically created.

Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Operation

Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.

Mitigation
System Configuration

Assign permissions that prevent the user from accessing/opening privileged files.

CAPEC-136: LDAP Injection

An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.

CAPEC-15: Command Delimiters

An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.

CAPEC-183: IMAP/SMTP Command Injection

An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.

CAPEC-248: Command Injection

An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.

CAPEC-40: Manipulating Writeable Terminal Devices

This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.

CAPEC-43: Exploiting Multiple Input Interpretation Layers

An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.

CAPEC-75: Manipulating Writeable Configuration Files

Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.

CAPEC-76: Manipulating Web Input to File System Calls

An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.