Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8961 | 1 Avira | 1 Free Antivirus | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Avira Free-Antivirus before 15.0.2004.1825. The Self-Protection feature does not prohibit a write operation from an external process. Thus, code injection can be used to turn off this feature. After that, one can construct an event that will modify a file at a specific location, and pass this event to the driver, thereby defeating the anti-virus functionality. | |||||
| CVE-2020-8584 | 1 Netapp | 4 Element Os, Hci Management Node, Hci Storage Node and 1 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Element OS versions prior to 1.8P1 and 12.2 are susceptible to a vulnerability that could allow an unauthenticated remote attacker to perform arbitrary code execution. | |||||
| CVE-2020-8518 | 3 Debian, Fedoraproject, Horde | 3 Debian Linux, Fedora, Groupware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Horde Groupware Webmail Edition 5.2.22 allows injection of arbitrary PHP code via CSV data, leading to remote code execution. | |||||
| CVE-2020-8349 | 1 Lenovo | 10 Cloud Networking Operating System, Rackswitch G8272, Rackswitch G8296 and 7 more | 2024-11-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| An internal security review has identified an unauthenticated remote code execution vulnerability in Cloud Networking Operating System (CNOS)’ optional REST API management interface. This interface is disabled by default and not vulnerable unless enabled. When enabled, it is only vulnerable where attached to a VRF and as allowed by defined ACLs. Lenovo strongly recommends upgrading to a non-vulnerable CNOS release. Where not possible, Lenovo recommends disabling the REST API management interface or restricting access to the management VRF and further limiting access to authorized management stations via ACL. | |||||
| CVE-2020-8180 | 1 Nextcloud | 1 Talk | 2024-11-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. | |||||
| CVE-2020-8149 | 1 Logkitty Project | 1 Logkitty | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1. | |||||
| CVE-2020-8137 | 1 Blamer Project | 1 Blamer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker. | |||||
| CVE-2020-8129 | 1 Script-manager Project | 1 Script-manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. | |||||
| CVE-2020-7480 | 1 Schneider-electric | 22 Andover Continuum 5720, Andover Continuum 5720 Firmware, Andover Continuum 5740 and 19 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. | |||||
| CVE-2020-7206 | 1 Hp | 1 Nagios-plugins-hpilo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| HP nagios plugin for iLO (nagios-plugins-hpilo v1.50 and earlier) has a php code injection vulnerability. | |||||
| CVE-2020-6836 | 1 Hot-formula-parser Project | 1 Hot-formula-parser | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server. | |||||
| CVE-2020-6144 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The username variable which is set at line 121 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2020-6143 | 1 Os4ed | 1 Opensis | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution vulnerability exists in the install functionality of OS4Ed openSIS 7.4. The password variable which is set at line 122 in install/Step5.php allows for injection of PHP code into the Data.php file that it writes. An attacker can send an HTTP request to trigger this vulnerability. | |||||
| CVE-2020-5553 | 1 Mailform | 1 Mailform | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| mailform version 1.04 allows remote attackers to execute arbitrary PHP code via unspecified vectors. | |||||
| CVE-2020-36708 | 3 Colorlib, Cpothemes, Machothemes | 16 Activello, Bonkers, Illdy and 13 more | 2024-11-21 | N/A | 9.8 CRITICAL |
| The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution. | |||||
| CVE-2020-35863 | 1 Hyper | 1 Hyper | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in the hyper crate before 0.12.34 for Rust. HTTP request smuggling can occur. Remote code execution can occur in certain situations with an HTTP server on the loopback interface. | |||||
| CVE-2020-35458 | 1 Clusterlabs | 1 Hawk | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in ClusterLabs Hawk 2.x through 2.3.0-x. There is a Ruby shell code injection issue via the hawk_remember_me_id parameter in the login_from_cookie cookie. The user logout routine could be used by unauthenticated remote attackers to execute code as hauser. | |||||
| CVE-2020-35131 | 1 Agentejo | 1 Cockpit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Cockpit before 0.6.1 allows an attacker to inject custom PHP code and achieve Remote Command Execution via registerCriteriaFunction in lib/MongoLite/Database.php, as demonstrated by values in JSON data to the /auth/check or /auth/requestreset URI. | |||||
| CVE-2020-25197 | 1 Ge | 6 Rt430, Rt430 Firmware, Rt431 and 3 more | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
| A code injection vulnerability exists in one of the webpages in GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06 that could allow an authenticated remote attacker to execute arbitrary code on the system. | |||||
| CVE-2020-23037 | 1 Portable | 1 Playable | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||||