Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-29307 | 1 Ionizecms | 1 Ionize | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| IonizeCMS v1.0.8.1 was discovered to contain a command injection vulnerability via the function copy_lang_content in application/models/lang_model.php. | |||||
| CVE-2022-29078 | 1 Ejs | 1 Ejs | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The ejs (aka Embedded JavaScript templates) package 3.1.6 for Node.js allows server-side template injection in settings[view options][outputFunctionName]. This is parsed as an internal option, and overwrites the outputFunctionName option with an arbitrary OS command (which is executed upon template compilation). | |||||
| CVE-2022-25759 | 1 Convert-svg-core Project | 1 Convert-svg-core | 2024-11-21 | N/A | 9.9 CRITICAL |
| The package convert-svg-core before 0.6.2 are vulnerable to Remote Code Injection via sending an SVG file containing the payload. | |||||
| CVE-2022-25578 | 1 Taogogo | 1 Taocms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file. | |||||
| CVE-2022-25498 | 1 Cuppacms | 1 Cuppacms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php. | |||||
| CVE-2022-24817 | 1 Fluxcd | 3 Flux2, Helm-controller, Kustomize-controller | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| Flux2 is an open and extensible continuous delivery solution for Kubernetes. Flux2 versions between 0.1.0 and 0.29.0, helm-controller 0.1.0 to v0.19.0, and kustomize-controller 0.1.0 to v0.23.0 are vulnerable to Code Injection via malicious Kubeconfig. In multi-tenancy deployments this can also lead to privilege escalation if the controller's service account has elevated permissions. Workarounds include disabling functionality via Validating Admission webhooks by restricting users from setting the `spec.kubeConfig` field in Flux `Kustomization` and `HelmRelease` objects. Additional mitigations include applying restrictive AppArmor and SELinux profiles on the controller’s pod to limit what binaries can be executed. This vulnerability is fixed in kustomize-controller v0.23.0 and helm-controller v0.19.0, both included in flux2 v0.29.0 | |||||
| CVE-2022-24711 | 1 Codeigniter | 1 Codeigniter | 2024-11-21 | 7.5 HIGH | 9.4 CRITICAL |
| CodeIgniter4 is the 4.x branch of CodeIgniter, a PHP full-stack web framework. Prior to version 4.1.9, an improper input validation vulnerability allows attackers to execute CLI routes via HTTP request. Version 4.1.9 contains a patch. There are currently no known workarounds for this vulnerability. | |||||
| CVE-2022-24665 | 1 Php Everywhere Project | 1 Php Everywhere | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts. | |||||
| CVE-2022-24664 | 1 Php Everywhere Project | 1 Php Everywhere | 2024-11-21 | 4.0 MEDIUM | 9.9 CRITICAL |
| PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress metaboxes, which could be used by any user able to edit posts. | |||||
| CVE-2022-24663 | 1 Php Everywhere Project | 1 Php Everywhere | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. | |||||
| CVE-2022-24442 | 1 Jetbrains | 1 Youtrack | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. | |||||
| CVE-2022-21831 | 2 Debian, Rubyonrails | 2 Debian Linux, Active Storage | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments. | |||||
| CVE-2022-21686 | 1 Prestashop | 1 Prestashop | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| PrestaShop is an Open Source e-commerce platform. Starting with version 1.7.0.0 and ending with version 1.7.8.3, an attacker is able to inject twig code inside the back office when using the legacy layout. The problem is fixed in version 1.7.8.3. There are no known workarounds. | |||||
| CVE-2022-21122 | 1 Metarhia | 1 Metacalc | 2024-11-21 | 7.5 HIGH | 9.0 CRITICAL |
| The package metacalc before 0.0.2 are vulnerable to Arbitrary Code Execution when it exposes JavaScript's Math class to the v8 context. As the Math class is exposed to user-land, it can be used to get access to JavaScript's Function constructor. | |||||
| CVE-2022-0885 | 1 Memberhero | 1 Member Hero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. | |||||
| CVE-2022-0845 | 1 Lightningai | 1 Pytorch Lightning | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. | |||||
| CVE-2021-4434 | 1 Warfareplugins | 1 Social Warfare | 2024-11-21 | N/A | 10.0 CRITICAL |
| The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server. | |||||
| CVE-2021-46362 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter. | |||||
| CVE-2021-46063 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module. | |||||
| CVE-2021-45029 | 1 Apache | 1 Shenyu | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||