Total
4402 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-18113 | 1 Atlassian | 2 Data Center, Jira | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| The DefaultOSWorkflowConfigurator class in Jira Server and Jira Data Center before version 8.18.1 allows remote attackers who can trick a system administrator to import their malicious workflow to execute arbitrary code via a Remote Code Execution (RCE) vulnerability. The vulnerability allowed for various problematic OSWorkflow classes to be used as part of workflows. The fix for this issue blocks usage of unsafe conditions, validators, functions and registers that are build-in into OSWorkflow library and other Jira dependencies. Atlassian-made functions or functions provided by 3rd party plugins are not affected by this fix. | |||||
| CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||||
| CVE-2017-17098 | 1 Gps-server | 1 Gps Tracking Software | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The writeLog function in fn_common.php in gps-server.net GPS Tracking Software (self hosted) through 3.0 allows remote attackers to inject arbitrary PHP code via a crafted request that is mishandled during admin log viewing, as demonstrated by <?php system($_GET[cmd]); ?> in a login request. | |||||
| CVE-2017-16905 | 2 Duolingo, Google | 2 Tinycards, Android | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| The DuoLingo TinyCards application before 1.0 for Android has one use of unencrypted HTTP, which allows remote attackers to spoof content, and consequently achieve remote code execution, via a man-in-the-middle attack. | |||||
| CVE-2017-16670 | 1 Smartbear | 1 Soapui | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
| The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file. | |||||
| CVE-2017-16151 | 1 Electronjs | 1 Electron | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Based on details posted by the ElectronJS team; A remote code execution vulnerability has been discovered in Google Chromium that affects all recent versions of Electron. Any Electron app that accesses remote content is vulnerable to this exploit, regardless of whether the [sandbox option](https://electron.atom.io/docs/api/sandbox-option) is enabled. | |||||
| CVE-2017-16082 | 1 Node-postgres | 1 Pg | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. | |||||
| CVE-2017-16020 | 1 Summit Project | 1 Summit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name. | |||||
| CVE-2017-14853 | 1 Orpak | 1 Siteomat | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run shell commands and receive valid output from the device. | |||||
| CVE-2017-1000480 | 1 Smarty | 1 Smarty | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | |||||
| CVE-2016-9651 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | |||||
| CVE-2016-5402 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. | |||||
| CVE-2016-4397 | 1 Hp | 1 Network Node Manager I | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. | |||||
| CVE-2016-4391 | 1 Hp | 1 Arcsight Winc Connector | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. | |||||
| CVE-2016-11064 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection. | |||||
| CVE-2016-10546 | 1 Pouchdb | 1 Pouchdb | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands. | |||||
| CVE-2016-10541 | 1 Shell-quote Project | 1 Shell-quote | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection. | |||||
| CVE-2015-9298 | 1 Pixelite | 1 Events Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The events-manager plugin before 5.6 for WordPress has code injection. | |||||
| CVE-2015-9272 | 1 Videowhisper | 1 Video Presentation | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code. | |||||
| CVE-2015-5243 | 1 Phpwhois Project | 1 Phpwhois | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| phpWhois allows remote attackers to execute arbitrary code via a crafted whois record. | |||||