Total
4659 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-16082 | 1 Node-postgres | 1 Pg | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. | |||||
| CVE-2017-16020 | 1 Summit Project | 1 Summit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name. | |||||
| CVE-2017-14853 | 1 Orpak | 1 Siteomat | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run shell commands and receive valid output from the device. | |||||
| CVE-2017-1000480 | 1 Smarty | 1 Smarty | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Smarty 3 before 3.1.32 is vulnerable to a PHP code injection when calling fetch() or display() functions on custom resources that does not sanitize template name. | |||||
| CVE-2016-9651 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
| A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | |||||
| CVE-2016-5402 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. | |||||
| CVE-2016-4397 | 1 Hp | 1 Network Node Manager I | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. | |||||
| CVE-2016-4391 | 1 Hp | 1 Arcsight Winc Connector | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. | |||||
| CVE-2016-11064 | 1 Mattermost | 1 Mattermost Desktop | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Mattermost Desktop App before 3.4.0. Strings could be executed as code via injection. | |||||
| CVE-2016-10546 | 1 Pouchdb | 1 Pouchdb | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands. | |||||
| CVE-2016-10541 | 1 Shell-quote Project | 1 Shell-quote | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection. | |||||
| CVE-2015-9298 | 1 Pixelite | 1 Events Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The events-manager plugin before 5.6 for WordPress has code injection. | |||||
| CVE-2015-9272 | 1 Videowhisper | 1 Video Presentation | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code. | |||||
| CVE-2015-5243 | 1 Phpwhois Project | 1 Phpwhois | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| phpWhois allows remote attackers to execute arbitrary code via a crafted whois record. | |||||
| CVE-2015-3173 | 1 Custom Content Type Manager Project | 1 Custom Content Type Manager | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| custom-content-type-manager Wordpress plugin can be used by an administrator to achieve arbitrary PHP remote code execution. | |||||
| CVE-2015-10009 | 1 Nonfiction | 1 Nterchange | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability was found in nterchange up to 4.1.0. It has been rated as critical. This issue affects the function getContent of the file app/controllers/code_caller_controller.php. The manipulation of the argument q with the input %5C%27%29;phpinfo%28%29;/* leads to code injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.1 is able to address this issue. The patch is named fba7d89176fba8fe289edd58835fe45080797d99. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217187. | |||||
| CVE-2014-5401 | 1 Hospira | 1 Mednet | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Hospira MedNet software version 5.8 and prior uses vulnerable versions of the JBoss Enterprise Application Platform software that may allow unauthenticated users to execute arbitrary code on the target system. Hospira has developed a new version of the MedNet software, MedNet 6.1. Existing versions of MedNet can be upgraded to MedNet 6.1. | |||||
| CVE-2014-2302 | 1 Webedition | 1 Webedition Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org. | |||||
| CVE-2014-2293 | 1 Zikula | 1 Zikula Application Framework | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php. | |||||
| CVE-2013-7468 | 1 Simplemachines | 1 Simple Machines Forum | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter. | |||||