Total
860 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18892 | 1 1234n | 1 Minicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php. | |||||
| CVE-2018-18835 | 1 Doccms | 1 Doccms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| upload_template() in system/changeskin.php in DocCms 2016.5.12 allows remote attackers to execute arbitrary PHP code via a template file. | |||||
| CVE-2018-18461 | 1 Kibokolabs | 1 Arigato Autoresponder And Newsletter | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php. | |||||
| CVE-2018-18319 | 1 Asuswrt-merlin Project | 28 Rt-ac1900, Rt-ac1900 Firmware, Rt-ac2900 and 25 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** An issue was discovered in the Merlin.PHP component 0.6.6 for Asuswrt-Merlin devices. An attacker can execute arbitrary commands because api.php has an eval call, as demonstrated by the /6/api.php?function=command&class=remote&Cc='ls' URI. NOTE: the vendor indicates that Merlin.PHP is designed only for use on a trusted intranet network, and intentionally allows remote code execution. | |||||
| CVE-2018-18258 | 1 Bagesoft | 1 Bagecms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in BageCMS 3.1.3. The attacker can execute arbitrary PHP code on the web server and can read any file on the web server via an index.php?r=admini/template/updateTpl&filename= URI. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2018-18083 | 1 Comsenz | 1 Duomicms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in DuomiCMS 3.0. Remote PHP code execution is possible via the search.php searchword parameter because "eval" is used during "if" processing. | |||||
| CVE-2018-17207 | 1 Snapcreek | 1 Duplicator | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. | |||||
| CVE-2018-17173 | 1 Lg | 1 Supersign Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail. | |||||
| CVE-2018-17126 | 1 Chshcms | 1 Cscms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php. | |||||
| CVE-2018-17036 | 1 Ucms Project | 1 Ucms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. | |||||
| CVE-2018-16975 | 1 Elefantcms | 1 Elefant | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php content, because of insufficient input validation in apps/designer/handlers/csspreview.php. | |||||
| CVE-2018-16771 | 1 Hoosk | 1 Hoosk | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php. | |||||
| CVE-2018-16168 | 1 Jpcert | 1 Logontracer | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct Python code injection attacks via unspecified vectors. | |||||
| CVE-2018-14804 | 1 Emerson | 1 Ams Device Manager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution. | |||||
| CVE-2018-14579 | 1 Golemcms Project | 1 Golemcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" form field, or obtain sensitive information via a direct request for install/install.sql. | |||||
| CVE-2018-14399 | 1 Phpcms Project | 1 Phpcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attackers to upload and execute arbitrary PHP code via a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the index.php?m=member&c=index&a=register URI. | |||||
| CVE-2018-13818 | 1 Symfony | 1 Twig | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it. | |||||
| CVE-2018-13043 | 2 Canonical, Debian | 2 Ubuntu Linux, Devscripts | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows code execution through unsafe YAML loading because YAML::Syck is used without a configuration that prevents unintended blessing. | |||||
| CVE-2018-12531 | 1 Metinfo | 1 Metinfo | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271. | |||||