CWE-77
Allowed-with-ReviewImproper Neutralization of Special Elements used in a Command ('Command Injection')
Abstraction: Class · Status: Draft
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
5380 vulnerabilities reference this CWE, most recent first.
GHSA-XRCM-65V6-9P73
Vulnerability from github – Published: 2023-10-11 18:30 – Updated: 2025-11-04 21:30A command execution vulnerability exists in the validate.so diag_ping_start functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.
{
"affected": [],
"aliases": [
"CVE-2023-32632"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-11T16:15:12Z",
"severity": "CRITICAL"
},
"details": "A command execution vulnerability exists in the validate.so diag_ping_start functionality of Yifan YF325 v1.0_20221108. A specially crafted network request can lead to command execution. An attacker can send a network request to trigger this vulnerability.",
"id": "GHSA-xrcm-65v6-9p73",
"modified": "2025-11-04T21:30:43Z",
"published": "2023-10-11T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32632"
},
{
"type": "WEB",
"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1767"
},
{
"type": "WEB",
"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2023-1767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XRF3-35RJ-G634
Vulnerability from github – Published: 2025-02-21 21:32 – Updated: 2025-02-21 21:32Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the apcli_wps_gen_pincode function in mtkwifi.lua.
{
"affected": [],
"aliases": [
"CVE-2025-25605"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-02-21T19:15:14Z",
"severity": "MODERATE"
},
"details": "Totolink X5000R V9.1.0u.6369_B20230113 is vulnerable to command injection via the apcli_wps_gen_pincode function in mtkwifi.lua.",
"id": "GHSA-xrf3-35rj-g634",
"modified": "2025-02-21T21:32:08Z",
"published": "2025-02-21T21:32:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25605"
},
{
"type": "WEB",
"url": "https://github.com/sezangel/IOT-vul/tree/main/Totolink/X5000R/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-XRJF-PHVV-R4VR
Vulnerability from github – Published: 2022-02-27 00:00 – Updated: 2022-03-09 20:26When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular link, this happens due to improper sanitization of user input.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "strapi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-0764"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2022-03-01T21:42:15Z",
"nvd_published_at": "2022-02-26T15:15:00Z",
"severity": "MODERATE"
},
"details": "When creating a strapi app using npxcreate-strapi-app, we can inject arbitrary commands through the template cli argument as per the code in this particular [link](https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13), this happens due to improper sanitization of user input.",
"id": "GHSA-xrjf-phvv-r4vr",
"modified": "2022-03-09T20:26:21Z",
"published": "2022-02-27T00:00:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0764"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/issues/12879"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c"
},
{
"type": "PACKAGE",
"url": "https://github.com/strapi/strapi"
},
{
"type": "WEB",
"url": "https://github.com/strapi/strapi/blob/master/packages/generators/app/lib/utils/fetch-npm-template.js#L13"
},
{
"type": "WEB",
"url": "https://huntr.dev/bounties/001d1c29-805a-4035-93bb-71a0e81da3e5"
},
{
"type": "WEB",
"url": "https://www.github.com/strapi/strapi/commit/2a3f5e988be6a2c7dae5ac22b9e86d579b462f4c"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:L",
"type": "CVSS_V3"
}
],
"summary": "Command injection in strapi"
}
GHSA-XRQ4-556F-VXWR
Vulnerability from github – Published: 2026-05-01 21:31 – Updated: 2026-05-01 21:31A security vulnerability has been detected in Sunwood-ai-labs command-executor-mcp-server up to 0.1.0. This impacts the function execute_command of the file src/index.ts of the component MCP Interface. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.
{
"affected": [],
"aliases": [
"CVE-2026-7593"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-01T21:16:17Z",
"severity": "MODERATE"
},
"details": "A security vulnerability has been detected in Sunwood-ai-labs command-executor-mcp-server up to 0.1.0. This impacts the function execute_command of the file src/index.ts of the component MCP Interface. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
"id": "GHSA-xrq4-556f-vxwr",
"modified": "2026-05-01T21:31:20Z",
"published": "2026-05-01T21:31:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7593"
},
{
"type": "WEB",
"url": "https://github.com/Sunwood-ai-labs/command-executor-mcp-server/issues/6"
},
{
"type": "WEB",
"url": "https://github.com/Sunwood-ai-labs/command-executor-mcp-server"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/805507"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/360546"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/360546/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XRV8-2PF5-F3Q7
Vulnerability from github – Published: 2025-12-05 18:57 – Updated: 2025-12-05 18:57Summary
Adding default PCR12 validation to ensure that account operators can not modify kernel command line parameters, potentially bypassing root filesystem integrity validation.
Attestable AMIs are based on the systemd Unified Kernel Image (UKI) concept which uses systemd-boot to create a single measured UEFI binary from a Linux kernel, its initramfs, and kernel command line. The embedded kernel command line contains a dm-verity hash value that establishes trust in the root file system.
When UEFI Secure Boot is disabled, systemd-boot appends any command line it receives to the kernel command line. Account operators with the ability to modify UefiData can install a boot variable with a command line that deactivates root file system integrity validation, while preserving the original PCR4 value.
Systemd-boot provides separate measurement of command line modifications in PCR12.
Impact
In line with the TPM 2.0 specification and systemd-stub logic, KMS policies that do not include validation for PCR12 (command line measurement) or PCR7 (enabled Secure Boot) may allow kernel command line modification by an account operator.
Patches
Version 1.1.0 of nitro-tpm-pcr-compute has been updated to include PCR12 with a static zero value. The updated tool now outputs PCR12 in the JSON measurements:
{
"Measurements": {
"HashAlgorithm": "SHA384",
"PCR4": "<hex string>",
"PCR7": "<hex string>",
"PCR12": "000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
}
}
Workarounds
For users who cannot upgrade to version 1.1.0 of nitro-tpm-pcr-compute immediately, the following workarounds are available:
- Manually add PCR12 to KMS policies: Add PCR12 with a static zero value to your AWS KMS key policies:
kms:RecipientAttestation:NitroTPMPCR12:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
- Enable and validate UEFI Secure Boot: Configure your Attestable AMI to use UEFI Secure Boot and validate its enablement via PCR7 in your KMS policy. When UEFI Secure Boot is active, the command line cannot be overwritten.
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "nitro-tpm-pcr-compute"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-05T18:57:55Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nAdding default PCR12 validation to ensure that account operators can not modify kernel command line parameters, potentially bypassing root filesystem integrity validation.\n\nAttestable AMIs are based on the systemd Unified Kernel Image (UKI) concept which uses systemd-boot to create a single measured UEFI binary from a Linux kernel, its initramfs, and kernel command line. The embedded kernel command line contains a dm-verity hash value that establishes trust in the root file system.\n\nWhen UEFI Secure Boot is disabled, systemd-boot appends any command line it receives to the kernel command line. Account operators with the ability to modify UefiData can install a boot variable with a command line that deactivates root file system integrity validation, while preserving the original PCR4 value.\n\nSystemd-boot provides separate measurement of command line modifications in PCR12.\n\n## Impact\n\nIn line with the TPM 2.0 specification and systemd-stub logic, KMS policies that do not include validation for PCR12 (command line measurement) or PCR7 (enabled Secure Boot) may allow kernel command line modification by an account operator.\n\n## Patches \n\nVersion 1.1.0 of nitro-tpm-pcr-compute has been updated to include PCR12 with a static zero value. The updated tool now outputs PCR12 in the JSON measurements:\n\n```json\n{\n \"Measurements\": {\n \"HashAlgorithm\": \"SHA384\",\n \"PCR4\": \"\u003chex string\u003e\",\n \"PCR7\": \"\u003chex string\u003e\",\n \"PCR12\": \"000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\"\n }\n}\n```\n\n## Workarounds\n\nFor users who cannot upgrade to version 1.1.0 of nitro-tpm-pcr-compute immediately, the following workarounds are available:\n\n1. **Manually add PCR12 to KMS policies:** Add PCR12 with a static zero value to your AWS KMS key policies:\n\n```txt\nkms:RecipientAttestation:NitroTPMPCR12:000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n```\n\n2. **Enable and validate UEFI Secure Boot:** Configure your Attestable AMI to use UEFI Secure Boot and validate its enablement via PCR7 in your KMS policy. When UEFI Secure Boot is active, the command line cannot be overwritten.",
"id": "GHSA-xrv8-2pf5-f3q7",
"modified": "2025-12-05T18:57:55Z",
"published": "2025-12-05T18:57:55Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/nitrotpm-attestation-samples/security/advisories/GHSA-xrv8-2pf5-f3q7"
},
{
"type": "WEB",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/attestable-ami.html"
},
{
"type": "WEB",
"url": "https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/uefi-secure-boot.html"
},
{
"type": "WEB",
"url": "https://github.com/aws/NitroTPM-Tools"
},
{
"type": "WEB",
"url": "https://github.com/aws/NitroTPM-Tools/blob/main/CHANGELOG.md"
},
{
"type": "WEB",
"url": "https://github.com/aws/NitroTPM-Tools/releases/tag/v1.1.0"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/nitrotpm-attestation-samples"
},
{
"type": "WEB",
"url": "https://www.freedesktop.org/software/systemd/man/latest/systemd-stub.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "nitro-tpm-pcr-compute may allow kernel command line modification by an account operator"
}
GHSA-XRXJ-JG56-83P4
Vulnerability from github – Published: 2022-12-12 15:30 – Updated: 2022-12-15 15:32Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system.
{
"affected": [],
"aliases": [
"CVE-2022-37902"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-12-12T13:15:00Z",
"severity": "HIGH"
},
"details": "Authenticated command injection vulnerabilities exist in the ArubaOS command line interface. Successful exploitation of these vulnerabilities results in the ability to execute arbitrary commands as a privileged user on the underlying operating system.",
"id": "GHSA-xrxj-jg56-83p4",
"modified": "2022-12-15T15:32:13Z",
"published": "2022-12-12T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-37902"
},
{
"type": "WEB",
"url": "https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-016.txt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XV56-3WQ5-9997
Vulnerability from github – Published: 2026-01-13 19:57 – Updated: 2026-01-13 19:57Summary
The user-provided chart name in the kustomize manager is appended to the helm pull --untar command without proper sanitization.
Details
Adversaries can provide a maliciously crafted kustomization.yaml in conjunction with a Helm repo's index.yaml file to trick Renovate to execute arbitrary code.
The value for the depName argument for the helmRepositoryArgs function in lib/modules/manager/kustomize/artifacts.ts is not being escaped using the quote function from the shlex package.
This lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025.
PoC
- Create a mock Helm repository. Have its
index.yamlendpoint return:
apiVersion: v1
entries:
"example || kill 1; echo":
- version: 1.0.1
created: 2016-10-06T16:23:20.499814565-06:00
- version: 1.0.0
created: 2016-10-06T16:23:20.499543808-06:00
- Create a git repo with the following content:
renovate.json5:
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
postUpdateOptions: [
"kustomizeInflateHelmCharts",
]
}
kustomization.yaml:
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- name: "example || kill 1; echo"
repo: TODO reference the mocked Helm repository over https
version: 1.0.0
with the todo resolved
charts/.gitkeep:
(empty)
- Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting "Repository finished", because the ACI vulnerability allowed for execution of
kill 1, terminating the root process of the container.
Impact
This is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "39.218.0"
},
{
"fixed": "40.33.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": true,
"github_reviewed_at": "2026-01-13T19:57:06Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Summary\nThe user-provided chart name in the `kustomize` manager is appended to the `helm pull --untar` command without proper sanitization.\n\n### Details\nAdversaries can provide a maliciously crafted `kustomization.yaml` in conjunction with a Helm repo\u0027s `index.yaml` file to trick Renovate to execute arbitrary code.\nThe value for the `depName` argument for the `helmRepositoryArgs` function in [lib/modules/manager/kustomize/artifacts.ts](https://github.com/renovatebot/renovate/blob/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37/lib/modules/manager/kustomize/artifacts.ts#L33) is not being escaped using the `quote` function from the `shlex` package.\nThis lack of proper sanitization has been present in the product since version 39.218.9 (https://github.com/renovatebot/renovate/commit/cc08c6e98f19e6258c5d3180c70c98e1be0b0d37), released on March 26 of 2025.\n\n### PoC\n1. Create a mock Helm repository. Have its `index.yaml` endpoint return:\n```yaml\napiVersion: v1\nentries:\n \"example || kill 1; echo\":\n - version: 1.0.1\n created: 2016-10-06T16:23:20.499814565-06:00\n - version: 1.0.0\n created: 2016-10-06T16:23:20.499543808-06:00\n```\n\n2. Create a git repo with the following content:\n\n`renovate.json5`:\n\n```json5\n{\n $schema: \"https://docs.renovatebot.com/renovate-schema.json\",\n postUpdateOptions: [\n \"kustomizeInflateHelmCharts\",\n ]\n}\n```\n\n`kustomization.yaml`:\n\n```yaml\nkind: Kustomization\napiVersion: kustomize.config.k8s.io/v1beta1\nhelmCharts:\n - name: \"example || kill 1; echo\"\n repo: TODO reference the mocked Helm repository over https\n version: 1.0.0\n```\nwith the todo resolved\n\n`charts/.gitkeep`:\n\n(empty)\n\n3. Run Renovate against the repo from a Docker container. Notice that the process terminates without reporting \"Repository finished\", because the ACI vulnerability allowed for execution of `kill 1`, terminating the root process of the container.\n\n### Impact\nThis is a Arbitrary Command Injection vulnerability, allowing those with write access on repositories configured to be scanned by Renovate to cause the execution of commands of their choice on the machine that runs Renovate.",
"id": "GHSA-xv56-3wq5-9997",
"modified": "2026-01-13T19:57:06Z",
"published": "2026-01-13T19:57:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-xv56-3wq5-9997"
},
{
"type": "PACKAGE",
"url": "https://github.com/renovatebot/renovate"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository"
}
GHSA-XV96-5Q4X-P79P
Vulnerability from github – Published: 2023-10-21 03:30 – Updated: 2024-04-04 08:51An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Remote Code Execution via a crafted sendmail command line.
{
"affected": [],
"aliases": [
"CVE-2023-38193"
],
"database_specific": {
"cwe_ids": [
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-10-21T01:15:08Z",
"severity": "HIGH"
},
"details": "An issue was discovered in SuperWebMailer 9.00.0.01710. It allows Remote Code Execution via a crafted sendmail command line.",
"id": "GHSA-xv96-5q4x-p79p",
"modified": "2024-04-04T08:51:59Z",
"published": "2023-10-21T03:30:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38193"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/en/security-advisories/usd-2023-0015"
},
{
"type": "WEB",
"url": "https://herolab.usd.de/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-XV9X-VWXF-XX9X
Vulnerability from github – Published: 2024-08-27 21:31 – Updated: 2024-08-27 21:31A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.
{
"affected": [],
"aliases": [
"CVE-2024-8211"
],
"database_specific": {
"cwe_ids": [
"CWE-77",
"CWE-78"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-08-27T19:15:18Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20240814. It has been declared as critical. This vulnerability affects the function cgi_FMT_Std2R1_DiskMGR of the file /cgi-bin/hd_config.cgi. The manipulation of the argument f_newly_dev leads to command injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed that the product is end-of-life. It should be retired and replaced.",
"id": "GHSA-xv9x-vwxf-xx9x",
"modified": "2024-08-27T21:31:14Z",
"published": "2024-08-27T21:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-8211"
},
{
"type": "WEB",
"url": "https://github.com/BuaaIOTTeam/Iot_Dlink_NAS/blob/main/DNS_cgi_FMT_Std2R1_DiskMGR.md"
},
{
"type": "WEB",
"url": "https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.275920"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.275920"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.397275"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-XVF2-2W45-WG4P
Vulnerability from github – Published: 2025-05-06 12:30 – Updated: 2025-05-06 12:30A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.
{
"affected": [],
"aliases": [
"CVE-2025-4349"
],
"database_specific": {
"cwe_ids": [
"CWE-74",
"CWE-77"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-05-06T12:15:30Z",
"severity": "HIGH"
},
"details": "A vulnerability classified as critical has been found in D-Link DIR-600L up to 2.07B01. This affects the function formSysCmd. The manipulation of the argument host leads to command injection. It is possible to initiate the attack remotely. This vulnerability only affects products that are no longer supported by the maintainer.",
"id": "GHSA-xvf2-2w45-wg4p",
"modified": "2025-05-06T12:30:25Z",
"published": "2025-05-06T12:30:24Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4349"
},
{
"type": "WEB",
"url": "https://github.com/jylsec/vuldb/blob/main/D-Link/dlink_dir600l/Command_injection-formSysCmd-sysCmd/README.md"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.307467"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.307467"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.558302"
},
{
"type": "WEB",
"url": "https://www.dlink.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
If at all possible, use library calls rather than external processes to recreate the desired functionality.
Mitigation
If possible, ensure that all external commands called from the program are statically created.
Mitigation MIT-5
Strategy: Input Validation
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
Mitigation
Run time: Run time policy enforcement may be used in an allowlist fashion to prevent use of any non-sanctioned commands.
Mitigation
Assign permissions that prevent the user from accessing/opening privileged files.
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.
CAPEC-15: Command Delimiters
An attack of this type exploits a programs' vulnerabilities that allows an attacker's commands to be concatenated onto a legitimate command with the intent of targeting other resources such as the file system or database. The system that uses a filter or denylist input validation, as opposed to allowlist validation is vulnerable to an attacker who predicts delimiters (or combinations of delimiters) not present in the filter or denylist. As with other injection attacks, the attacker uses the command delimiter payload as an entry point to tunnel through the application and activate additional attacks through SQL queries, shell commands, network scanning, and so on.
CAPEC-183: IMAP/SMTP Command Injection
An adversary exploits weaknesses in input validation on web-mail servers to execute commands on the IMAP/SMTP server. Web-mail servers often sit between the Internet and the IMAP or SMTP mail server. User requests are received by the web-mail servers which then query the back-end mail server for the requested information and return this response to the user. In an IMAP/SMTP command injection attack, mail-server commands are embedded in parts of the request sent to the web-mail server. If the web-mail server fails to adequately sanitize these requests, these commands are then sent to the back-end mail server when it is queried by the web-mail server, where the commands are then executed. This attack can be especially dangerous since administrators may assume that the back-end server is protected against direct Internet access and therefore may not secure it adequately against the execution of malicious commands.
CAPEC-248: Command Injection
An adversary looking to execute a command of their choosing, injects new items into an existing command thus modifying interpretation away from what was intended. Commands in this context are often standalone strings that are interpreted by a downstream component and cause specific responses. This type of attack is possible when untrusted values are used to build these command strings. Weaknesses in input validation or command construction can enable the attack and lead to successful exploitation.
CAPEC-40: Manipulating Writeable Terminal Devices
This attack exploits terminal devices that allow themselves to be written to by other users. The attacker sends command strings to the target terminal device hoping that the target user will hit enter and thereby execute the malicious command with their privileges. The attacker can send the results (such as copying /etc/passwd) to a known directory and collect once the attack has succeeded.
CAPEC-43: Exploiting Multiple Input Interpretation Layers
An attacker supplies the target software with input data that contains sequences of special characters designed to bypass input validation logic. This exploit relies on the target making multiples passes over the input data and processing a "layer" of special characters with each pass. In this manner, the attacker can disguise input that would otherwise be rejected as invalid by concealing it with layers of special/escape characters that are stripped off by subsequent processing steps. The goal is to first discover cases where the input validation layer executes before one or more parsing layers. That is, user input may go through the following logic in an application: <parser1> --> <input validator> --> <parser2>. In such cases, the attacker will need to provide input that will pass through the input validator, but after passing through parser2, will be converted into something that the input validator was supposed to stop.
CAPEC-75: Manipulating Writeable Configuration Files
Generally these are manually edited files that are not in the preview of the system administrators, any ability on the attackers' behalf to modify these files, for example in a CVS repository, gives unauthorized access directly to the application, the same as authorized users.
CAPEC-76: Manipulating Web Input to File System Calls
An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.