Total
4424 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-10948 | 1 Alienform2 Project | 1 Alienform2 | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests. | |||||
| CVE-2020-10389 | 1 Chadhaajay | 1 Phpkb | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings. | |||||
| CVE-2020-10257 | 1 Themerex | 63 Addons, Aldo-gutenberg Wordpress Blog Theme, Amuli and 60 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter. | |||||
| CVE-2020-10176 | 1 Assaabloy | 2 Yale Wipc-301w, Yale Wipc-301w Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. | |||||
| CVE-2020-10055 | 1 Siemens | 2 Desigo Consumption Control, Desigo Consumption Control Compact | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges. | |||||
| CVE-2019-9891 | 1 Tldp | 1 Advanced Bash-scripting Guide | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The function getopt_simple as described in Advanced Bash Scripting Guide (ISBN 978-1435752184) allows privilege escalation and execution of commands when used in a shell script called, for example, via sudo. | |||||
| CVE-2019-9848 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. | |||||
| CVE-2019-9651 | 1 Sdcms | 1 Sdcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SDCMS V1.7. In the \app\admin\controller\themecontroller.php file, the check_bad() function's filtering is not strict, resulting in PHP code execution. This occurs because some dangerous PHP functions (such as "eval") are blocked but others (such as "system") are not, and because ".php" is blocked but ".PHP" is not blocked. | |||||
| CVE-2019-9227 | 1 Baigo | 1 Baigo Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file. | |||||
| CVE-2019-9163 | 1 Marchnetworks | 1 Command Client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. | |||||
| CVE-2019-9115 | 1 Irisnet | 1 Irisnet-crypto | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage. | |||||
| CVE-2019-8341 | 2 Opensuse, Pocoo | 2 Leap, Jinja2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing | |||||
| CVE-2019-8324 | 4 Debian, Opensuse, Redhat and 1 more | 4 Debian Linux, Leap, Enterprise Linux and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. | |||||
| CVE-2019-7871 | 1 Magento | 1 Magento | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection. | |||||
| CVE-2019-7720 | 1 Taogogo | 1 Taocms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. | |||||
| CVE-2019-7719 | 1 Nibbleblog | 1 Nibbleblog | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request. | |||||
| CVE-2019-7692 | 1 Cim Project | 1 Cim | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| install/install.php in CIM 0.9.3 allows remote attackers to execute arbitrary PHP code via a crafted prefix value because of configuration file mishandling in the N=83 case, as demonstrated by a call to the PHP fputs function that creates a .php file in the public folder. | |||||
| CVE-2019-7580 | 1 Thinkcmf | 1 Thinkcmf | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection. | |||||
| CVE-2019-7486 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Code injection in SonicWall SMA100 allows an authenticated user to execute arbitrary code in viewcacert CGI script. This vulnerability impacted SMA100 version 9.0.0.4 and earlier. | |||||
| CVE-2019-7177 | 1 Pexip | 1 Pexip Infinity | 2024-11-21 | 9.0 HIGH | 7.2 HIGH |
| Pexip Infinity before 20.1 allows Code Injection onto nodes via an admin. | |||||