Vulnerabilities (CVE)

Filtered by CWE-94
Total 4631 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-15087 1 Prise 1 Adas 2024-11-21 6.5 MEDIUM 7.2 HIGH
An issue was discovered in PRiSE adAS 1.7.0. An authenticated user can change the function used to hash passwords to any function, leading to remote code execution.
CVE-2019-15001 1 Atlassian 2 Jira Data Center, Jira Server 2024-11-21 9.0 HIGH 7.2 HIGH
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.0.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain remote code execution via a template injection vulnerability through the use of a crafted PUT request.
CVE-2019-14965 1 Frappe 1 Frappe 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists.
CVE-2019-14867 2 Fedoraproject, Freeipa 2 Fedora, Freeipa 2024-11-21 6.8 MEDIUM 8.8 HIGH
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.
CVE-2019-14827 1 Moodle 1 Moodle 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions.
CVE-2019-14746 1 Kuaifan 1 Kuaifancms 2024-11-21 7.5 HIGH 9.8 CRITICAL
A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request.
CVE-2019-14423 1 Eq-3 3 Ccu2, Ccu2 Firmware, Cux-daemon 2024-11-21 9.0 HIGH 8.8 HIGH
A Remote Code Execution (RCE) issue in the addon CUx-Daemon 1.11a of the eQ-3 Homematic CCU-Firmware 2.35.16 until 2.45.6 allows remote authenticated attackers to execute system commands as root remotely via a simple HTTP request.
CVE-2019-14282 1 Simple Captcha2 Project 1 Simple Captcha2 2024-11-21 7.5 HIGH 9.8 CRITICAL
The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-14281 1 Datagrid Project 1 Datagrid 2024-11-21 7.5 HIGH 9.8 CRITICAL
The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
CVE-2019-14242 2 Bitdefender, Microsoft 5 Antivirus Plus, Endpoint Security Tool, Internet Security and 2 more 2024-11-21 7.2 HIGH 6.7 MEDIUM
An issue was discovered in Bitdefender products for Windows (Bitdefender Endpoint Security Tool versions prior to 6.6.8.115; and Bitdefender Antivirus Plus, Bitdefender Internet Security, and Bitdefender Total Security versions prior to 23.0.24.120) that can lead to local code injection. A local attacker with administrator privileges can create a malicious DLL file in %SystemRoot%\System32\ that will be executed with local user privileges.
CVE-2019-13956 1 Codersclub 1 Discuz\!ml 2024-11-21 7.5 HIGH 9.8 CRITICAL
Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were used).
CVE-2019-13714 2 Google, Opensuse 2 Chrome, Backports Sle 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL.
CVE-2019-13558 1 Advantech 1 Webaccess 2024-11-21 9.0 HIGH 9.8 CRITICAL
In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash.
CVE-2019-13372 1 Dlink 1 Central Wifimanager 2024-11-21 7.5 HIGH 9.8 CRITICAL
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.
CVE-2019-13354 1 Strong Password Project 1 Strong Password 2024-11-21 7.5 HIGH 9.8 CRITICAL
The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6.
CVE-2019-12844 1 Jetbrains 1 Teamcity 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.
CVE-2019-12843 1 Jetbrains 1 Teamcity 2024-11-21 4.3 MEDIUM 6.1 MEDIUM
A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.
CVE-2019-12761 1 Python 1 Pyxdg 2024-11-21 5.1 MEDIUM 7.5 HIGH
A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.
CVE-2019-12548 1 Bludit 1 Bludit 2024-11-21 6.5 MEDIUM 8.8 HIGH
Bludit before 3.9.0 allows remote code execution for an authenticated user by uploading a php file while changing the logo through /admin/ajax/upload-logo.
CVE-2019-12120 1 Onap 1 Open Network Automation Platform 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in ONAP VNFSDK through Dublin. By accessing port 8000 of demo-vnfsdk-vnfsdk, an unauthenticated attacker (who already has access to pod-to-pod communication) may execute arbitrary code inside that pod. All ONAP Operations Manager (OOM) setups are affected.