CVEbaza.plSłownik CWECWE-146
Common Weakness Enumeration

CWE-146

Improper Neutralization of Expression/Command Delimiters

Kategoria: VariantCVE: 9
Opis

Produkt otrzymuje dane wejściowe z komponentu upstream, ale nie neutralizuje lub nieprawidłowo neutralizuje elementy specjalne, które mogą być interpretowane jako ograniczniki wyrażeń lub poleceń podczas wysyłania do komponentu downstream. Może to prowadzić do nieautoryzowanego wykonania kodu lub poleceń.

Description (EN)

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as expression or command delimiters when they are sent to a downstream component.

Podatności CVE z CWE-146 (9)
9.9
CVSS
CRITICAL
CVE-2024-20329

Podatność w podsystemie SSH oprogramowania Cisco Adaptive Security Appliance (ASA) umożliwia uwierzytelnionemu zdalnemu atakującemu wykonanie dowolnych poleceń systemu operacyjnego z uprawnieniami root. Jest to szczególnie groźne, ponieważ nawet użytkownik z ograniczonymi uprawnieniami może przejąć pełną kontrolę nad urządzeniem.

pub. 2024-10-23
8.8
CVSS
HIGH
CVE-2025-53192

** UNSUPPORTED WHEN ASSIGNED ** Improper Neutralization of Expression/Command Delimiters vulnerability in Apache Commons OGNL. This issue affects Apache Commons OGNL: all versions. When using the API Ognl.getValue​, the OGNL engine parses and evaluates the provided expression with powerful capabilities, including accessing and invoking related methods, etc. Although OgnlRuntime attempts to restrict certain dangerous classes and methods (such as java.lang.Runtime) through a blocklist, these restrictions are not comprehensive. Attackers may be able to bypass the restrictions by leveraging class objects that are not covered by the blocklist and potentially achieve arbitrary code execution. As this project is retired, we do not plan to release a version that fixes this issue. Users are recommended to find an alternative or restrict access to the instance to trusted users. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

pub. 2025-08-18
7.8
CVSS
HIGH
CVE-2023-20035

A vulnerability in the CLI of Cisco IOS XE SD-WAN Software could allow an authenticated, local attacker to execute arbitrary commands with elevated privileges. This vulnerability is due to insufficient input validation by the system CLI. An attacker with privileges to run commands could exploit this vulnerability by first authenticating to an affected device using either local terminal access or a management shell interface and then submitting crafted input to the system CLI. A successful exploit could allow the attacker to execute commands on the underlying operating system with root-level privileges. An attacker with limited user privileges could use this vulnerability to gain complete control over the system. Note: For additional information about specific impacts, see the Details section of this advisory.

pub. 2023-03-23
7.4
CVSS
HIGH
CVE-2022-4055

When xdg-mail is configured to use thunderbird for mailto URLs, improper parsing of the URL can lead to additional headers being passed to thunderbird that should not be included per RFC 2368. An attacker can use this method to create a mailto URL that looks safe to users, but will actually attach files when clicked.

pub. 2022-11-19
7.2
CVSS
HIGH
CVE-2024-20470

A vulnerability in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN Routers could allow an authenticated, remote attacker to execute arbitrary code on an affected device. In order to exploit this vulnerability, the attacker must have valid admin credentials. This vulnerability exists because the web-based management interface does not sufficiently validate user-supplied input. An attacker could exploit this vulnerability by sending crafted HTTP input to an affected device. A successful exploit could allow the attacker to execute arbitrary code as the root user on the underlying operating system.

pub. 2024-10-02
7.2
CVSS
HIGH
CVE-2023-20117

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as the root user on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates to address these vulnerabilities.

pub. 2023-04-05
7.2
CVSS
HIGH
CVE-2023-20128

Multiple vulnerabilities in the web-based management interface of Cisco Small Business RV320 and RV325 Dual Gigabit WAN VPN Routers could allow an authenticated, remote attacker to inject and execute arbitrary commands on the underlying operating system of an affected device. These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by sending malicious input to an affected device. A successful exploit could allow the attacker to execute arbitrary commands as the root user on the underlying Linux operating system of the affected device. To exploit these vulnerabilities, an attacker would need to have valid Administrator credentials on the affected device. Cisco has not released software updates to address these vulnerabilities.

pub. 2023-04-05
6.0
CVSS
MEDIUM
CVE-2025-20237

A vulnerability in Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary commands on the underlying operating system with root-level privileges. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient input validation of commands that are supplied by the user. An attacker could exploit this vulnerability by authenticating to a device and submitting crafted input for specific commands. A successful exploit could allow the attacker to execute commands on the underlying operating system as root.

pub. 2025-08-14
4.7
CVSS
MEDIUM
CVE-2026-22266

Dell PowerProtect Data Manager, version(s) prior to 19.22, contain(s) an Improper Verification of Source of a Communication Channel vulnerability in the REST API. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to protection mechanism bypass.

pub. 2026-02-19
Informacje
ID: CWE-146
Typ: Variant
Podatności: 9
MITRE CWE ↗
← Słownik CWE