A command injection remote code execution vulnerability was discovered on Western Digital My Cloud Devices that could allow an attacker to execute arbitrary system commands on the device. The vulnerability was addressed by escaping individual arguments to shell functions coming from user input.
CWE-77
CVE-2022-22688
Improper neutralization of special elements used in a command (‘Command Injection’) vulnerability in File service functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-2 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
CVE-2022-22744
The constructed curl command from the “Copy as curl” feature in DevTools was not properly escaped for PowerShell. This could have lead to command injection if pasted into a Powershell prompt.
*This bug only affects Thunderbird for Windows. Other operating systems are unaffected.*. This vulnerability affects Firefox ESR < 91.5, Firefox < 96, and Thunderbird < 91.5.
CVE-2022-2251
Improper sanitization of branch names in GitLab Runner affecting all versions prior to 15.3.5, 15.4 prior to 15.4.4, and 15.5 prior to 15.5.2 allows a user who creates a branch with a specially crafted name and gets another user to trigger a pipeline to execute commands in the runner as that other user.
CVE-2022-22454
IBM InfoSphere Information Server 11.7 could allow a locally authenticated attacker to execute arbitrary commands on the system by sending a specially crafted request.
CVE-2022-2234
An authenticated mySCADA myPRO 8.26.0 user may be able to modify parameters to run commands directly in the operating system.