Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10769 | 1 Safer-eval Project | 1 Safer-eval | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
|
|||||
| CVE-2019-10684 | 1 74cms | 1 74cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Application/Admin/Controller/ConfigController.class.php in 74cms v5.0.1 allows remote attackers to execute arbitrary PHP code via the index.php?m=Admin&c=config&a=edit site_domain parameter.
|
|||||
| CVE-2019-10633 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to execute arbitrary code via the tjp6jp6y4, simZysh, and ck6fup6 APIs.
|
|||||
| CVE-2019-10431 | 1 Jenkins | 1 Script Security | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
|
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.
|
|||||
| CVE-2019-10211 | 2 Microsoft, Postgresql | 2 Windows, Postgresql | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory.
|
|||||
| CVE-2019-10182 | 2 Icedtea-web Project, Redhat | 6 Icedtea-web, Enterprise Linux Desktop, Enterprise Linux Server and 3 more | 2024-11-21 | 5.8 MEDIUM | 8.2 HIGH |
|
It was found that icedtea-web though 1.7.2 and 1.8.2 did not properly sanitize paths from <jar/> elements in JNLP files. An attacker could trick a victim into running a specially crafted application and use this flaw to upload arbitrary files to arbitrary locations in the context of the user.
|
|||||
| CVE-2019-10100 | 1 Jetbrains | 1 Youtrack Integration | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The attacker could add an Issue macro to the page in Confluence, and use a combination of a valid id field and specially crafted code in the link-text-template field to execute code remotely.
|
|||||
| CVE-2019-10015 | 1 Baigo | 1 Baigo Sso | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitrary PHP code via the first form field of a configuration screen, because this code is written to the BG_SITE_NAME field in the opt_base.inc.php file.
|
|||||
| CVE-2019-0542 | 2 Redhat, Xtermjs | 2 Openshift Container Platform, Xterm.js | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js.
|
|||||
| CVE-2019-0355 | 1 Sap | 1 Netweaver Application Server Java | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
SAP NetWeaver Application Server Java Web Container, ENGINEAPI (before versions 7.10, 7.20, 7.30, 7.31, 7.40, 7.50) and SAP-JEECOR (before versions 6.40, 7.0, 7.01), allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.
|
|||||
| CVE-2019-0343 | 1 Sap | 1 Commerce Cloud | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SAP Commerce Cloud (Mediaconversion Extension), versions 6.4, 6.5, 6.6, 6.7, 1808, 1811, 1905, allows an authenticated Backoffice/HMC user to inject code that can be executed by the application, leading to Code Injection. An attacker could thereby control the behavior of the application.
|
|||||
| CVE-2019-0330 | 1 Sap | 1 Diagnostics Agent | 2024-11-21 | 6.5 MEDIUM | 9.1 CRITICAL |
|
The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
|
|||||
| CVE-2019-0247 | 1 Sap | 1 Cloud Connector | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
|
|||||
| CVE-2019-0091 | 1 Intel | 2 Converged Security And Management Engine, Trusted Execution Technology | 2024-11-21 | 7.2 HIGH | 7.8 HIGH |
|
Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.
|
|||||
| CVE-2018-9848 | 1 Gxlcms | 1 Gxlcms Qy | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request.
|
|||||
| CVE-2018-9847 | 1 Gxlcms | 1 Gxlcms Qy | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template.
|
|||||
| CVE-2018-9175 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php.
|
|||||
| CVE-2018-9174 | 1 Dedecms | 1 Dedecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control.
|
|||||
| CVE-2018-9113 | 1 Cdc | 1 Microbetrace | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
Centers for Disease Control and Prevention MicrobeTRACE 0.1.12 allows remote attackers to execute arbitrary code, related to code injection via a crafted CSV file with an initial '><script type="text/javascript" src=' line. Fix released on 2018-03-29.
|
|||||
| CVE-2018-8974 | 1 Cdc | 1 Microbetrace | 2024-11-21 | 9.3 HIGH | 7.8 HIGH |
|
Centers for Disease Control and Prevention MicrobeTRACE 0.1.11 allows remote attackers to execute arbitrary code, related to code injection via a crafted CSV file with an initial 'Source<script type="text/javascript" src=' line. Fix released on 2018-03-28.
|
|||||
| CVE-2018-8966 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.
|
|||||
| CVE-2018-8938 | 1 Progress | 1 Whatsup Gold | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server.
|
|||||
| CVE-2018-8823 | 2 Prestashop, Responsive Mega Menu Pro Project | 2 Prestashop, Responsive Mega Menu Pro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter.
|
|||||
| CVE-2018-8756 | 1 Yzmcms | 1 Yzmcms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7.1 allows remote attackers to achieve arbitrary code execution via PHP code in the POST data of an index.php?m=member&c=member_content&a=init request.
|
|||||
| CVE-2018-8540 | 1 Microsoft | 9 .net Framework, Windows 10, Windows 7 and 6 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7.1/4.7.2, ...
Show More |
|||||
| CVE-2018-8415 | 1 Microsoft | 9 Powershell Core, Windows 10, Windows 7 and 6 more | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
|
A tampering vulnerability exists in PowerShell that could allow an attacker to execute unlogged code, aka "Microsoft PowerShell Tampering Vulnerability." This affects Windows 7, PowerShell Core 6.1, Windows Server 2012 R2, Windows RT 8.1, PowerShell Core 6.0, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
|
|||||
| CVE-2018-8346 | 1 Microsoft | 2 Windows 7, Windows Server 2008 | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8345.
|
|||||
| CVE-2018-8345 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-11-21 | 7.6 HIGH | 7.5 HIGH |
|
A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8346.
|
|||||
| CVE-2018-8344 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2024-11-21 | 9.3 HIGH | 8.8 HIGH |
|
A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
|
|||||
| CVE-2018-8284 | 1 Microsoft | 13 .net Framework, Project Server, Sharepoint Enterprise Server and 10 more | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
|
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Micr ...
Show More |
|||||
| CVE-2018-8097 | 1 Python-eve | 1 Eve | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.
|
|||||
| CVE-2018-8074 | 1 Yiiframework | 1 Yii | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
|
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
|
|||||
| CVE-2018-8073 | 1 Yiiframework | 1 Yii | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
|
|||||
| CVE-2018-7951 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system.
|
|||||
| CVE-2018-7950 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
|
The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system.
|
|||||
| CVE-2018-7801 | 1 Schneider-electric | 2 Evlink Parking, Evlink Parking Firmware | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed.
|
|||||
| CVE-2018-7756 | 1 Dewesoft | 1 Dewesoft | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
|
RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command.
|
|||||
| CVE-2018-7748 | 1 Servicenow | 1 Servicenow | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the sysparm_media parameter.
|
|||||
| CVE-2018-7633 | 1 Adbglobal | 1 Epicentro | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request.
|
|||||
| CVE-2018-7466 | 1 Testlink | 1 Testlink | 2024-11-21 | 6.0 MEDIUM | 7.5 HIGH |
|
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
|
|||||