Total
4636 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-14971 | 1 Pi-hole | 1 Pi-hole | 2024-11-21 | 4.6 MEDIUM | 7.8 HIGH |
| Pi-hole through 5.0 allows code injection in piholedhcp (the Static DHCP Leases section) by modifying Teleporter backup files and then restoring them. This occurs in settings.php. To exploit this, an attacker would request a backup of limited files via teleporter.php. These are placed into a .tar.gz archive. The attacker then modifies the host parameter in dnsmasq.d files, and then compresses and uploads these files again. | |||||
| CVE-2020-13994 | 1 Mods-for-hesk | 1 Mods For Hesk | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Mods for HESK 3.1.0 through 2019.1.0. A privileged user can achieve code execution on the server via a ticket because of improper access control of uploaded resources. This might be exploitable in conjunction with CVE-2020-13992 by an unauthenticated attacker. | |||||
| CVE-2020-13144 | 1 Edx | 1 Open Edx Platform | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Studio in Open edX Ironwood 2.5, when CodeJail is not used, allows a user to go to the "Create New course>New section>New subsection>New unit>Add new component>Problem button>Advanced tab>Custom Python evaluated code" screen, edit the problem, and execute Python code. This leads to arbitrary code execution. | |||||
| CVE-2020-12842 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkUserExpirationDate.php. | |||||
| CVE-2020-12839 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/checkExpirationDate.php. | |||||
| CVE-2020-12838 | 1 Gogogate | 2 Ismartgate Pro, Ismartgate Pro Firmware | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| ismartgate PRO 1.5.9 is vulnerable to privilege escalation by appending PHP code to /cron/mailAdmin.php. | |||||
| CVE-2020-11851 | 1 Microfocus | 1 Arcsight Logger | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product, affecting all version prior to 7.1.1. The vulnerability could be remotely exploited resulting in the execution of arbitrary code. | |||||
| CVE-2020-11103 | 1 Webswing | 1 Webswing | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| JsLink in Webswing before 2.6.12 LTS, and 2.7.x and 20.x before 20.1, allows remote code execution. | |||||
| CVE-2020-11057 | 1 Xwiki | 1 Xwiki | 2024-11-21 | 9.0 HIGH | 9.9 CRITICAL |
| In XWiki Platform 7.2 through 11.10.2, registered users without scripting/programming permissions are able to execute python/groovy scripts while editing personal dashboards. This has been fixed 11.3.7 , 11.10.3 and 12.0. | |||||
| CVE-2020-10389 | 1 Chadhaajay | 1 Phpkb | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings. | |||||
| CVE-2020-10257 | 1 Themerex | 63 Addons, Aldo-gutenberg Wordpress Blog Theme, Amuli and 60 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter. | |||||
| CVE-2020-10176 | 1 Assaabloy | 2 Yale Wipc-301w, Yale Wipc-301w Firmware | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands. | |||||
| CVE-2020-10055 | 1 Siemens | 2 Desigo Consumption Control, Desigo Consumption Control Compact | 2024-11-21 | 9.3 HIGH | 9.8 CRITICAL |
| A vulnerability has been identified in Desigo CC (V4.x), Desigo CC (V3.x), Desigo CC Compact (V4.x), Desigo CC Compact (V3.x). Affected applications are delivered with a 3rd party component (BIRT) that contains a remote code execution vulnerability if the Advanced Reporting Engine is enabled. The vulnerability could allow a remote unauthenticated attacker to execute arbitrary commands on the server with SYSTEM privileges. | |||||
| CVE-2019-9891 | 1 Tldp | 1 Advanced Bash-scripting Guide | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| The function getopt_simple as described in Advanced Bash Scripting Guide (ISBN 978-1435752184) allows privilege escalation and execution of commands when used in a shell script called, for example, via sudo. | |||||
| CVE-2019-9848 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. | |||||
| CVE-2019-9829 | 1 Maccms | 1 Maccms | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates. | |||||
| CVE-2019-9695 | 1 Symantec | 2 Norton Core, Norton Core Firmware | 2024-11-21 | 7.2 HIGH | 6.8 MEDIUM |
| Norton Core prior to v278 may be susceptible to an arbitrary code execution issue, which is a type of vulnerability that has the potential of allowing an individual to execute arbitrary commands or code on a target machine or in a target process. Note that this exploit is only possible with direct physical access to the device. | |||||
| CVE-2019-9651 | 1 Sdcms | 1 Sdcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SDCMS V1.7. In the \app\admin\controller\themecontroller.php file, the check_bad() function's filtering is not strict, resulting in PHP code execution. This occurs because some dangerous PHP functions (such as "eval") are blocked but others (such as "system") are not, and because ".php" is blocked but ".PHP" is not blocked. | |||||
| CVE-2019-9227 | 1 Baigo | 1 Baigo Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file. | |||||
| CVE-2019-9163 | 1 Marchnetworks | 1 Command Client | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. | |||||