Total
4402 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-11167 | 1 Finecms Project | 1 Finecms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo() input value. | |||||
| CVE-2015-6531 | 1 Paloaltonetworks | 1 Pan-os | 2025-04-20 | 9.3 HIGH | 7.8 HIGH |
| Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file. | |||||
| CVE-2017-6325 | 1 Symantec | 1 Messaging Gateway | 2025-04-20 | 6.0 MEDIUM | 6.6 MEDIUM |
| The Symantec Messaging Gateway can encounter a file inclusion vulnerability, which is a type of vulnerability that is most commonly found to affect web applications that rely on a scripting run time. This issue is caused when an application builds a path to executable code using an attacker-controlled variable in a way that allows the attacker to control which file is executed at run time. This file inclusion vulnerability subverts how an application loads code for execution. Successful exploitation of a file inclusion vulnerability will result in remote code execution on the web server that runs the affected web application. | |||||
| CVE-2015-8771 | 1 Gosa Project | 1 Gosa Plugin | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| The generate_smb_nt_hash function in include/functions.inc in GOsa allows remote attackers to execute arbitrary commands via a crafted password. | |||||
| CVE-2017-8284 | 1 Qemu | 1 Qemu | 2025-04-20 | 6.9 MEDIUM | 7.0 HIGH |
| The disas_insn function in target/i386/translate.c in QEMU before 2.9.0, when TCG mode without hardware acceleration is used, does not limit the instruction size, which allows local users to gain privileges by creating a modified basic block that injects code into a setuid program, as demonstrated by procmail. NOTE: the vendor has stated "this bug does not violate any security guarantees QEMU makes. | |||||
| CVE-2016-6175 | 1 Php-gettext Project | 1 Php-gettext | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Eval injection vulnerability in php-gettext 1.0.12 and earlier allows remote attackers to execute arbitrary PHP code via a crafted plural forms header. | |||||
| CVE-2017-14198 | 1 Squiz | 1 Matrix | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. Authenticated users with permissions to edit design assets can cause Remote Code Execution (RCE) via a maliciously crafted time_format tag. | |||||
| CVE-2015-3638 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable. | |||||
| CVE-2014-8677 | 1 Soplanning | 1 Soplanning | 2025-04-20 | 3.5 LOW | 5.3 MEDIUM |
| The installation process for SOPlanning 1.32 and earlier allows remote authenticated users with a prepared database, and access to an existing database with a crafted name, or permissions to create arbitrary databases, or if PHP before 5.2 is being used, the configuration database is down, and smarty/templates_c is not writable to execute arbitrary php code via a crafted database name. | |||||
| CVE-2017-11715 | 1 Metinfo Project | 1 Metinfo | 2025-04-20 | 6.5 MEDIUM | 9.8 CRITICAL |
| job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php. | |||||
| CVE-2017-15806 | 1 Zetacomponents | 1 Mail | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| The send function in the ezcMailMtaTransport class in Zeta Components Mail before 1.8.2 does not properly restrict the set of characters used in the ezcMail returnPath property, which might allow remote attackers to execute arbitrary code via a crafted email address, as demonstrated by one containing "-X/path/to/wwwroot/file.php." | |||||
| CVE-2017-14146 | 1 Helpdezk | 1 Helpdezk | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| HelpDEZk 1.1.1 allows remote authenticated users to execute arbitrary PHP code by uploading a .php attachment and then requesting it in the helpdezk\app\uploads\helpdezk\attachments\ directory. | |||||
| CVE-2017-3753 | 1 Lenovo | 219 63, 63 Firmware, H50-30g and 216 more | 2025-04-20 | 7.2 HIGH | 6.8 MEDIUM |
| A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. | |||||
| CVE-2014-3927 | 1 Mrlg4php Project | 1 Mrlg4php | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execute arbitrary shell code. | |||||
| CVE-2016-10157 | 1 Akamai | 1 Netsession | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Akamai NetSession 1.9.3.1 is vulnerable to DLL Hijacking: it tries to load CSUNSAPI.dll without supplying the complete path. The issue is aggravated because the mentioned DLL is missing from the installation, thus making it possible to hijack the DLL and subsequently inject code within the Akamai NetSession process space. | |||||
| CVE-2017-1001002 | 1 Mathjs | 1 Math.js | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. | |||||
| CVE-2017-8402 | 1 Pivotx | 1 Pivotx | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| PivotX 2.3.11 allows remote authenticated users to execute arbitrary PHP code via vectors involving an upload of a .htaccess file. | |||||
| CVE-2017-1440 | 1 Ibm | 1 Emptoris Services Procurement | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| IBM Emptoris Services Procurement 10.0.0.5 could allow a remote attacker to include arbitrary files. A remote attacker could send a specially-crafted URL to specify a malicious file from a remote system, which could allow the attacker to execute arbitrary code on the vulnerable Web server. IBM X-Force ID: 128105. | |||||
| CVE-2017-16871 | 1 Updraftplus | 1 Updraftplus | 2025-04-20 | 6.8 MEDIUM | 8.1 HIGH |
| The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before deleting a file associated with the name parameter. NOTE: the vendor reports that this does not cross a privilege boundary | |||||
| CVE-2017-7402 | 1 Lucidcrew | 1 Pixie | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg. | |||||