Cwe 78

🧬 CWE Related 120
slug: cwe-78

Explanation

CWE-78は「ユーザー入力をシェルコマンドの一部として使うとき、適切にエスケープせず、攻撃者がコマンドを追加実行できてしまう欠陥」のことです。 例えば `ping {ユーザー入力IP}` の {ユーザー入力IP} に `; rm -rf /` のような文字列を入れられると、サーバー上のファイルが削除されます。 対策は「シェル経由を避け、引数を配列として直接渡す (PHPなら escapeshellarg)」。
📌 Example
Shellshock (CVE-2014-6271): Bashの脆弱性で、Webサーバーへの普通のリクエスト経由で任意のシェルコマンドが実行できた歴史的な事件。

🔖 Related tags

🛡 Vulnerabilities tagged with this 796

ID Title
CVE-2024-11120 KEV [KEV] OS Command Injection in Geovision multiple-devices (CVE-2024-11120)
CVE-2024-6047 KEV [KEV] OS Command Injection in Geovision multiple-devices (CVE-2024-6047)
CVE-2023-44221 KEV [KEV] OS Command Injection in Sonicwall sma100-appliances (CVE-2023-44221)
CVE-2021-20035 KEV [KEV] OS Command Injection in Sonicwall sma100-appliances (CVE-2021-20035)
CVE-2025-1316 KEV [KEV] OS Command Injection in Edimax ic-7100-ip-camera (CVE-2025-1316)
CVE-2025-1244 OS Command Injection in CVE-2025-1244 (CVE-2025-1244)
CVE-2024-40891 KEV [KEV] OS Command Injection in Zyxel dsl-cpe-devices (CVE-2024-40891)
CVE-2024-40890 KEV [KEV] OS Command Injection in Zyxel dsl-cpe-devices (CVE-2024-40890)
CVE-2018-9276 KEV [KEV] OS Command Injection in Paessler prtg-network-monitor (CVE-2018-9276)
CVE-2024-50603 KEV [KEV] OS Command Injection in Aviatrix controllers (CVE-2024-50603)
CVE-2024-12686 KEV [KEV] OS Command Injection in Beyondtrust privileged-remote-access-pra-and-remote-support-rs (CVE-2024-12686)
CVE-2024-12970 OS Command Injection in CVE-2024-12970 (CVE-2024-12970)
CVE-2021-40407 KEV [KEV] OS Command Injection in Reolink rlc-410w-ip-camera (CVE-2021-40407)
CVE-2019-11001 KEV [KEV] OS Command Injection in Reolink multiple-ip-cameras (CVE-2019-11001)
CVE-2018-14933 KEV [KEV] OS Command Injection in Nuuo nvrmini-devices (CVE-2018-14933)
CVE-2024-52723 OS Command Injection in totolink (CVE-2024-52723)
CVE-2024-1212 KEV [KEV] OS Command Injection in Progress kemp-loadmaster (CVE-2024-1212)
CVE-2024-9463 KEV [KEV] OS Command Injection in Palo alto networks palo-alto-networks (CVE-2024-9463)
CVE-2024-10035 Command Injection in privilege-escalation (CVE-2024-10035)
CVE-2024-8957 KEV [KEV] OS Command Injection in Ptzoptics pt30x-sdindi-cameras (CVE-2024-8957)
CVE-2020-15415 KEV [KEV] OS Command Injection in Draytek multiple-vigor-routers (CVE-2020-15415)
CVE-2023-25280 KEV [KEV] OS Command Injection in D-link dir-820-router (CVE-2023-25280)
CVE-2024-8190 KEV [KEV] OS Command Injection in Ivanti cloud-services-appliance (CVE-2024-8190)
CVE-2024-6917 OS Command Injection in veribase (CVE-2024-6917)
CVE-2024-38887 OS Command Injection in horizoncloud (CVE-2024-38887)
CVE-2024-38889 SQL Injection in sqli (CVE-2024-38889)
CVE-2024-38882 OS Command Injection in sqli (CVE-2024-38882)
CVE-2024-20399 KEV [KEV] OS Command Injection in Cisco nx-os (CVE-2024-20399)
CVE-2024-37626 OS Command Injection in totolink (CVE-2024-37626)
CVE-2024-4577 KEV [KEV] OS Command Injection in Php group php-group (CVE-2024-4577)

🍪 About cookies

We use cookies to keep you logged in, remember your language, and improve the service.

Details →