Total
4633 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17302 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. | |||||
| CVE-2019-17301 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user. | |||||
| CVE-2019-17300 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user. | |||||
| CVE-2019-17299 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user. | |||||
| CVE-2019-17268 | 1 Omniauth-weibo-oauth2 Project | 1 Omniauth-weibo-oauth2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected. | |||||
| CVE-2019-17107 | 1 Centreon | 1 Centreon Web | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| minPlayCommand.php in Centreon Web before 2.8.27 allows authenticated attackers to execute arbitrary code via the command_hostaddress parameter. NOTE: some sources have listed CVE-2019-17017 for this, but that is incorrect. | |||||
| CVE-2019-16885 | 1 Okay-cms | 1 Okaycms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the cookie price_filter, and second in api/Comparison.php via the cookie comparison. | |||||
| CVE-2019-16652 | 1 Geniusbytes | 1 Genius Server | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The BPM component in Genius Bytes Genius Server (Genius CDDS) 3.2.2 allows remote authenticated users to execute arbitrary commands. | |||||
| CVE-2019-16645 | 1 Embedthis | 1 Goahead | 2024-11-21 | 5.0 MEDIUM | 8.6 HIGH |
| An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack. | |||||
| CVE-2019-16255 | 4 Debian, Opensuse, Oracle and 1 more | 4 Debian Linux, Leap, Graalvm and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. | |||||
| CVE-2019-16108 | 1 Phpbb | 1 Phpbb | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
| phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode. | |||||
| CVE-2019-15873 | 1 Metagauss | 1 Profilegrid | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The profilegrid-user-profiles-groups-and-communities plugin before 2.8.6 for WordPress has remote code execution via an wp-admin/admin-ajax.php request with the action=pm_template_preview&html=<?php substring followed by PHP code. | |||||
| CVE-2019-15766 | 1 Kslabs | 1 Ksweb | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The KSLABS KSWEB (aka ru.kslabs.ksweb) application 3.93 for Android allows authenticated remote code execution via a POST request to the AJAX handler with the configFile parameter set to the arbitrary file to be written to (and the config_text parameter set to the content of the file to be created). This can be a PHP file that is written to in the public web directory and subsequently executed. The attacker must have network connectivity to the PHP server that is running on the Android device. | |||||
| CVE-2019-15746 | 1 Sitos | 1 Sitos Six | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP commands. As a result, an attacker can compromise the running server and execute system commands in the context of the web user. | |||||
| CVE-2019-15647 | 1 Groundhogg | 1 Groundhogg | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| The groundhogg plugin before 1.3.5 for WordPress has wp-admin/admin-ajax.php?action=bulk_action_listener remote code execution. | |||||
| CVE-2019-15642 | 1 Webmin | 1 Webmin | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialise_variable makes an eval call. NOTE: the Webmin_Servers_Index documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must not be granted to un-trusted Webmin users." | |||||
| CVE-2019-15599 | 1 Tree-kill Project | 1 Tree-kill | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | |||||
| CVE-2019-15597 | 1 Node-df Project | 1 Node-df | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input. | |||||
| CVE-2019-15490 | 1 It-novum | 1 Openitcockpit | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| openITCOCKPIT before 3.7.1 allows code injection, aka RVID 1-445b21. | |||||
| CVE-2019-15388 | 1 Coolpad | 2 Mega 5, Mega 5 Firmware | 2024-11-21 | 9.3 HIGH | 8.1 HIGH |
| The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more. | |||||