Total
5240 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-0899 | 3 Debian, Redhat, Rubygems | 8 Debian Linux, Enterprise Linux Desktop, Enterprise Linux Server and 5 more | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. | |||||
| CVE-2017-1469 | 1 Ibm | 1 Infosphere Information Server | 2025-04-20 | 4.6 MEDIUM | 7.8 HIGH |
| IBM InfoSphere Information Server 9.1, 11.3, and 11.5 could allow a local user to gain elevated privileges by placing arbitrary files in installation directories. IBM X-Force ID: 128468. | |||||
| CVE-2017-8912 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug. | |||||
| CVE-2017-10844 | 1 Basercms | 1 Basercms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspecified vectors. | |||||
| CVE-2017-5543 | 1 Intelliants | 1 Subrion | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request. | |||||
| CVE-2017-10968 | 1 Finecms Project | 1 Finecms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "<?php" in a route=template request. | |||||
| CVE-2017-2968 | 1 Adobe | 1 Campaign | 2025-04-20 | 7.5 HIGH | 9.1 CRITICAL |
| Adobe Campaign versions 16.4 Build 8724 and earlier have a code injection vulnerability. | |||||
| CVE-2015-8351 | 1 Gwolle Guestbook Project | 1 Gwolle Guestbook | 2025-04-20 | 6.8 MEDIUM | 9.0 CRITICAL |
| PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled. | |||||
| CVE-2017-7321 | 1 Modx | 1 Modx Revolution | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | |||||
| CVE-2017-9771 | 1 Websitebaker | 1 Websitebaker | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| install\save.php in WebsiteBaker v2.10.0 allows remote attackers to execute arbitrary PHP code via the database_username, database_host, or database_password parameter. | |||||
| CVE-2017-16682 | 1 Sap | 2 Business Application Software Integrated Solution, Netweaver Internet Transaction Server | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application. | |||||
| CVE-2015-9227 | 1 Alegrocart | 1 Alegrocart | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| PHP remote file inclusion vulnerability in the get_file function in upload/admin2/controller/report_logs.php in AlegroCart 1.2.8 allows remote administrators to execute arbitrary PHP code via a URL in the file_path parameter to upload/admin2. | |||||
| CVE-2017-1000196 | 1 Octobercms | 1 October | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server. | |||||
| CVE-2017-7694 | 1 Getsymphony | 1 Symphony | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor. | |||||
| CVE-2017-13676 | 1 Norton | 1 Remove \& Reinstall | 2025-04-20 | 4.4 MEDIUM | 7.0 HIGH |
| Norton Remove & Reinstall can be susceptible to a DLL preloading vulnerability. These types of issues occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. Depending on how the application is configured, it will generally follow a specific search path to locate the DLL. The vulnerability can be exploited by a simple file write (or potentially an over-write) which results in a foreign DLL running under the context of the application. A Norton Remove & Reinstall update, version 4.4.0.58, has been released which addresses the aforementioned vulnerability. | |||||
| CVE-2017-6782 | 1 Cisco | 1 Prime Infrastructure | 2025-04-20 | 4.9 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the administrative web interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to modify a page in the web interface of the affected application. The vulnerability is due to improper sanitization of parameter values by the affected application. An attacker could exploit this vulnerability by injecting malicious code into an affected parameter and persuading a user to access a web page that triggers the rendering of the injected code. Cisco Bug IDs: CSCve47074. Known Affected Releases: 3.2(0.0). | |||||
| CVE-2016-7102 | 1 Owncloud | 1 Owncloud Desktop Client | 2025-04-20 | 4.6 MEDIUM | 8.4 HIGH |
| ownCloud Desktop before 2.2.3 allows local users to execute arbitrary code and possibly gain privileges via a Trojan library in a "special path" in the C: drive. | |||||
| CVE-2017-6186 | 1 Bitdefender | 3 Antivirus Plus, Internet Security, Total Security | 2025-04-20 | 7.2 HIGH | 6.7 MEDIUM |
| Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | |||||
| CVE-2017-9442 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | |||||
| CVE-2017-1336 | 1 Ibm | 1 Infosphere Biginsights | 2025-04-20 | 3.6 LOW | 4.4 MEDIUM |
| IBM Infosphere BigInsights 4.2.0 could allow an attacker to inject code that could allow access to restricted data and files. IBM X-Force ID: 126244. | |||||