Total
5795 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-5090 | 1 Status2k | 1 Status2k | 2025-04-12 | 6.5 MEDIUM | N/A |
|
admin/options/logs.php in Status2k allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the Location field in Add Logs in the Admin Panel.
|
|||||
| CVE-2014-5519 | 1 Phpwiki Project | 1 Phpwiki | 2025-04-12 | 7.5 HIGH | N/A |
|
The Ploticus module in PhpWiki 1.5.0 allows remote attackers to execute arbitrary code via shell metacharacters in a device option in the edit[content] parameter to index.php/HeIp. NOTE: some of these details are obtained from third party information.
|
|||||
| CVE-2015-1645 | 1 Microsoft | 4 Windows 7, Windows Server 2003, Windows Server 2008 and 1 more | 2025-04-12 | 9.3 HIGH | N/A |
|
Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to execute arbitrary code via a crafted Enhanced Metafile (EMF) image, aka "EMF Processing Remote Code Execution Vulnerability."
|
|||||
| CVE-2014-9266 | 1 Samsung | 1 Smart Viewer | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The STWConfig ActiveX control in Samsung SmartViewer does not properly initialize a variable, which allows remote attackers to execute arbitrary code via unspecified vectors.
|
|||||
| CVE-2014-1691 | 1 Horde | 1 Horde Application Framework | 2025-04-12 | 7.5 HIGH | N/A |
|
The framework/Util/lib/Horde/Variables.php script in the Util library in Horde before 5.1.1 allows remote attackers to conduct object injection attacks and execute arbitrary PHP code via a crafted serialized object in the _formvars form.
|
|||||
| CVE-2013-4321 | 1 Typo3 | 1 Typo3 | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The File Abstraction Layer (FAL) in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.4 allows remote authenticated editors to execute arbitrary PHP code via unspecified characters in the file extension when renaming a file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4250.
|
|||||
| CVE-2014-2558 | 1 Skyphe | 1 File-gallery | 2025-04-12 | 6.5 MEDIUM | N/A |
|
The File Gallery plugin before 1.7.9.2 for WordPress does not properly escape strings, which allows remote administrators to execute arbitrary PHP code via a \' (backslash quote) in the setting fields to /wp-admin/options-media.php, related to the create_function function.
|
|||||
| CVE-2014-4152 | 1 Alienvault | 1 Open Source Security Information Management | 2025-04-12 | 10.0 HIGH | N/A |
|
The av-centerd SOAP service in AlienVault OSSIM before 4.8.0 allows remote attackers to execute arbitrary code via a crafted remote_task request, related to injecting an ssh public key.
|
|||||
| CVE-2016-7110 | 1 Huawei | 1 Uma | 2025-04-12 | 10.0 HIGH | 9.8 CRITICAL |
|
Huawei Unified Maintenance Audit (UMA) before V200R001C00SPC200 allows remote attackers to execute arbitrary commands via "special characters," a different vulnerability than CVE-2016-7109.
|
|||||
| CVE-2014-5340 | 1 Check Mk Project | 1 Check Mk | 2025-04-12 | 9.3 HIGH | N/A |
|
The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL.
|
|||||
| CVE-2014-2196 | 1 Cisco | 1 Wide Area Application Services | 2025-04-12 | 9.3 HIGH | N/A |
|
Cisco Wide Area Application Services (WAAS) 5.1.1 before 5.1.1e, when SharePoint prefetch optimization is enabled, allows remote SharePoint servers to execute arbitrary code via a malformed response, aka Bug ID CSCue18479.
|
|||||
| CVE-2014-3805 | 1 Alienvault | 1 Open Source Security Information Management | 2025-04-12 | 10.0 HIGH | N/A |
|
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) get_license, (2) get_log_line, or (3) update_system/upgrade_pro_web request, a different vulnerability than CVE-2014-3804.
|
|||||
| CVE-2013-6943 | 1 Citrix | 1 Netscaler Application Delivery Controller Firmware | 2025-04-12 | 5.0 MEDIUM | N/A |
|
Citrix NetScaler Application Delivery Controller (ADC) 9.3.x before 9.3-64.4, 10.0 before 10.0-77.5, and 10.1 before 10.1-118.7 allows remote attackers to conduct an LDAP injection attack via vectors related to SSH and Web management usernames.
|
|||||
| CVE-2014-4767 | 1 Ibm | 1 Websphere Application Server | 2025-04-12 | 6.5 MEDIUM | N/A |
|
IBM WebSphere Application Server (WAS) Liberty Profile 8.5.x before 8.5.5.3 does not properly use the Liberty Repository for feature installation, which allows remote authenticated users to execute arbitrary code via unspecified vectors.
|
|||||
| CVE-2015-0090 | 1 Microsoft | 9 Windows 7, Windows 8, Windows 8.1 and 6 more | 2025-04-12 | 9.3 HIGH | N/A |
|
Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.
|
|||||
| CVE-2014-3453 | 1 Flag Module Project | 1 Flag | 2025-04-12 | 6.5 MEDIUM | N/A |
|
Eval injection vulnerability in the flag_import_form_validate function in includes/flag.export.inc in the Flag module 7.x-3.0, 7.x-3.5, and earlier for Drupal allows remote authenticated administrators to execute arbitrary PHP code via the "Flag import code" text area to admin/structure/flags/import. NOTE: this issue could also be exploited by other attackers if the administrator ignores a security warning on the permissions assignment page.
|
|||||
| CVE-2014-7205 | 1 Bassmaster Project | 1 Bassmaster | 2025-04-12 | 10.0 HIGH | N/A |
|
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for the hapi server framework for Node.js allows remote attackers to execute arbitrary Javascript code via unspecified vectors.
|
|||||
| CVE-2014-0057 | 1 Redhat | 2 Cloudforms, Cloudforms 3.0 Management Engine | 2025-04-12 | 7.5 HIGH | N/A |
|
The x_button method in the ServiceController (vmdb/app/controllers/service_controller.rb) in Red Hat CloudForms 3.0 Management Engine 5.2 allows remote attackers to execute arbitrary methods via unspecified vectors.
|
|||||
| CVE-2015-7729 | 1 Sap | 1 Hana | 2025-04-12 | 6.5 MEDIUM | N/A |
|
Eval injection in test-net.xsjs in the Web-based Development Workbench in SAP HANA Developer Edition DB 1.00.091.00.1418659308 allows remote authenticated users to execute arbitrary XSJS code via unspecified vectors, aka SAP Security Note 2153892.
|
|||||
| CVE-2013-3998 | 1 Ibm | 1 Infosphere Biginsights | 2025-04-12 | 3.5 LOW | N/A |
|
CRLF injection vulnerability in the Web Application Enterprise Console in IBM InfoSphere BigInsights 1.1 and 2.x before 2.1 FP2 allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
|
|||||
| CVE-2015-1311 | 1 Sap | 1 Hana Extended Application Services | 2025-04-12 | 10.0 HIGH | N/A |
|
The Extended Application Services (XS) in SAP HANA allows remote attackers to inject arbitrary ABAP code via unspecified vectors, aka SAP Note 2098906. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
|
|||||
| CVE-2012-5488 | 1 Plone | 1 Plone | 2025-04-12 | 5.0 MEDIUM | N/A |
|
python_scripts.py in Plone before 4.2.3 and 4.3 before beta 1 allows remote attackers to execute Python code via a crafted URL, related to createObject.
|
|||||
| CVE-2016-0033 | 1 Microsoft | 1 .net Framework | 2025-04-12 | 5.0 MEDIUM | 7.5 HIGH |
|
Microsoft .NET Framework 2.0 SP2, 3.5, 3.5.1, 4.5.2, 4.6, and 4.6.1 does not prevent recursive compilation of XSLT transforms, which allows remote attackers to cause a denial of service (performance degradation) via crafted XSLT data, aka ".NET Framework Stack Overflow Denial of Service Vulnerability."
|
|||||
| CVE-2014-3518 | 1 Redhat | 4 Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform, Jboss Enterprise Portal Platform and 1 more | 2025-04-12 | 6.8 MEDIUM | N/A |
|
jmx-remoting.sar in JBoss Remoting, as used in Red Hat JBoss Enterprise Application Platform (JEAP) 5.2.0, Red Hat JBoss BRMS 5.3.1, Red Hat JBoss Portal Platform 5.2.2, and Red Hat JBoss SOA Platform 5.3.1, does not properly implement the JSR 160 specification, which allows remote attackers to execute arbitrary code via unspecified vectors.
|
|||||
| CVE-2014-7260 | 1 Ultrapop | 1 I-httpd | 2025-04-12 | 7.5 HIGH | N/A |
|
The Server Side Includes (SSI) implementation in the File Upload BBS component in ULTRAPOP.JP i-HTTPD allows remote attackers to execute arbitrary commands by uploading files containing commands in SSI directives.
|
|||||
| CVE-2014-0574 | 4 Adobe, Apple, Linux and 1 more | 7 Air, Air Sdk, Air Sdk \& Compiler and 4 more | 2025-04-12 | 10.0 HIGH | N/A |
|
Double free vulnerability in Adobe Flash Player before 13.0.0.252 and 14.x and 15.x before 15.0.0.223 on Windows and OS X and before 11.2.202.418 on Linux, Adobe AIR before 15.0.0.356, Adobe AIR SDK before 15.0.0.356, and Adobe AIR SDK & Compiler before 15.0.0.356 allows attackers to execute arbitrary code via unspecified vectors.
|
|||||
| CVE-2014-0603 | 1 Attachmate | 1 Reflection Ftp Client | 2025-04-12 | 10.0 HIGH | N/A |
|
The rftpcom.dll ActiveX control in Attachmate Reflection FTP Client before 14.1.429 allows remote attackers to cause a denial of service (memory corruption) and execute arbitrary code via vectors related to the (1) GetGlobalSettings or (2) GetSiteProperties3 methods, which triggers a dereference of an arbitrary memory address. NOTE: this issue was MERGED with CVE-2014-0606 because it is the same type of vulnerability, affecting the same set of versions, and discovered by the same researcher.
|
|||||
| CVE-2013-6399 | 1 Qemu | 1 Qemu | 2025-04-12 | 7.5 HIGH | N/A |
|
Array index error in the virtio_load function in hw/virtio/virtio.c in QEMU before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image.
|
|||||
| CVE-2014-6119 | 1 Ibm | 2 Security Appscan, Security Appscan Source | 2025-04-12 | 9.3 HIGH | N/A |
|
IBM Security AppScan Enterprise 8.5 before 8.5 IFix 002, 8.6 before 8.6 IFix 004, 8.7 before 8.7 IFix 004, 8.8 before 8.8 iFix 003, 9.0 before 9.0.0.1 iFix 003, and 9.0.1 before 9.0.1 iFix 001 allows remote attackers to execute arbitrary code via a crafted executable file in an archive.
|
|||||
| CVE-2014-7296 | 1 Eng | 1 Spagobi | 2025-04-12 | 6.8 MEDIUM | N/A |
|
The default configuration in the accessibility engine in SpagoBI 5.0.0 does not set FEATURE_SECURE_PROCESSING, which allows remote authenticated users to execute arbitrary Java code via a crafted XSL document.
|
|||||
| CVE-2013-7362 | 1 Sap | 1 Ccms Agent | 2025-04-12 | 7.5 HIGH | N/A |
|
An unspecified RFC function in SAP CCMS Agent allows remote attackers to execute arbitrary commands via unknown vectors.
|
|||||
| CVE-2015-5970 | 1 Novell | 1 Zenworks Configuration Management | 2025-04-12 | 5.0 MEDIUM | 5.3 MEDIUM |
|
The ChangePassword RPC method in Novell ZENworks Configuration Management (ZCM) 11.3 and 11.4 allows remote attackers to conduct XPath injection attacks, and read arbitrary text files, via a malformed query involving a system entity reference.
|
|||||
| CVE-2014-2866 | 1 Paperthin | 1 Commonspot Content Server | 2025-04-12 | 10.0 HIGH | N/A |
|
PaperThin CommonSpot before 7.0.2 and 8.x before 8.0.3 relies on client JavaScript code for access restrictions, which allows remote attackers to perform unspecified operations by modifying this code.
|
|||||
| CVE-2014-8770 | 1 Magmi Project | 1 Magmi | 2025-04-12 | 9.0 HIGH | N/A |
|
Unrestricted file upload vulnerability in magmi/web/magmi.php in the MAGMI (aka Magento Mass Importer) plugin 0.7.17a and earlier for Magento Community Edition (CE) allows remote authenticated users to execute arbitrary code by uploading a ZIP file that contains a PHP file, then accessing the PHP file via a direct request to it in magmi/plugins/.
|
|||||
| CVE-2013-4151 | 1 Qemu | 1 Qemu | 2025-04-12 | 7.5 HIGH | N/A |
|
The virtio_load function in virtio/virtio.c in QEMU 1.x before 1.7.2 allows remote attackers to execute arbitrary code via a crafted savevm image, which triggers an out-of-bounds write.
|
|||||
| CVE-2013-1850 | 1 Owncloud | 2 Owncloud, Owncloud Server | 2025-04-12 | 6.5 MEDIUM | N/A |
|
Multiple incomplete blacklist vulnerabilities in (1) import.php and (2) ajax/uploadimport.php in apps/contacts/ in ownCloud before 4.0.13 and 4.5.x before 4.5.8 allow remote authenticated users to execute arbitrary PHP code by uploading a .htaccess file.
|
|||||
| CVE-2014-1939 | 2 Google, Lenovo | 2 Android, Shareit | 2025-04-12 | 7.5 HIGH | N/A |
|
java/android/webkit/BrowserFrame.java in Android before 4.4 uses the addJavascriptInterface API in conjunction with creating an object of the SearchBoxImpl class, which allows attackers to execute arbitrary Java code by leveraging access to the searchBoxJavaBridge_ interface at certain Android API levels.
|
|||||
| CVE-2014-5112 | 1 Netfortris | 1 Trixbox | 2025-04-12 | 7.5 HIGH | N/A |
|
maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter.
|
|||||
| CVE-2013-6468 | 1 Redhat | 3 Jboss Bpm Suite, Jboss Drools, Jboss Enterprise Brms Platform | 2025-04-12 | 6.5 MEDIUM | N/A |
|
JBoss Drools, Red Hat JBoss BRMS before 6.0.1, and Red Hat JBoss BPM Suite before 6.0.1 allows remote authenticated users to execute arbitrary Java code via a (1) MVFLEX Expression Language (MVEL) or (2) Drools expression.
|
|||||
| CVE-2014-5297 | 1 X2engine | 1 X2engine | 2025-04-12 | 7.5 HIGH | N/A |
|
The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter.
|
|||||