Total
3575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2011-4342 | 2 Backwpup, Wordpress | 2 Backwpup, Wordpress | 2024-02-14 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in wp_xml_export.php in the BackWPup plugin before 1.7.2 for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the wpabs parameter. | |||||
| CVE-2011-5021 | 1 Phpids | 1 Phpids | 2024-02-14 | 7.5 HIGH | N/A |
| PHPIDS before 0.7 does not properly implement Regular Expression Denial of Service (ReDoS) filters, which allows remote attackers to bypass rulesets and add PHP sequences to a file via unspecified vectors. | |||||
| CVE-2006-3395 | 1 Webdesignhq | 1 Sitebuilder-fx | 2024-02-14 | 5.1 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in top.php in SiteBuilder-FX 3.5 allows remote attackers to execute arbitrary PHP code via a URL in the admindir parameter. | |||||
| CVE-2013-6795 | 1 Rackspace | 1 Openstack Windows Guest Agent | 2024-02-14 | 9.3 HIGH | N/A |
| The Updater in Rackspace Openstack Windows Guest Agent for XenServer before 1.2.6.0 allows remote attackers to execute arbitrary code via a crafted serialized .NET object to TCP port 1984, which triggers the download and extraction of a ZIP file that overwrites the Agent service binary. | |||||
| CVE-2002-0495 | 1 Cgiscript | 1 Cssearch Professional | 2024-02-13 | 10.0 HIGH | N/A |
| csSearch.cgi in csSearch 2.3 and earlier allows remote attackers to execute arbitrary Perl code via the savesetup command and the setup parameter, which overwrites the setup.cgi configuration file that is loaded by csSearch.cgi. | |||||
| CVE-2005-1876 | 1 Cutephp | 1 Cutenews | 2024-02-13 | 4.4 MEDIUM | N/A |
| Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file. | |||||
| CVE-2005-1894 | 1 Flatnuke | 1 Flatnuke | 2024-02-13 | 7.5 HIGH | N/A |
| Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be injected into referer.php, which can then be accessed by the attacker. | |||||
| CVE-2003-0395 | 1 Myupb | 1 Ultimate Php Board | 2024-02-13 | 7.5 HIGH | N/A |
| Ultimate PHP Board (UPB) 1.9 allows remote attackers to execute arbitrary PHP code with UPB administrator privileges via an HTTP request containing the code in the User-Agent header, which is executed when the administrator executes admin_iplog.php. | |||||
| CVE-2023-6996 | 1 Vegacorp | 1 Display Custom Fields In The Frontend - Post And User Profile Fields | 2024-02-13 | N/A | 8.8 HIGH |
| The Display custom fields in the frontend – Post and User Profile Fields plugin for WordPress is vulnerable to Code Injection via the plugin's vg_display_data shortcode in all versions up to, and including, 1.2.1 due to insufficient input validation and restriction on access to that shortcode. This makes it possible for authenticated attackers with contributor-level and above permissions to call arbitrary functions and execute code. | |||||
| CVE-2023-45735 | 1 Westermo | 2 L206-f2g, L206-f2g Firmware | 2024-02-12 | N/A | 8.0 HIGH |
| A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. | |||||
| CVE-2023-50488 | 1 Blurams | 2 Lumi Security Camera A31c, Lumi Security Camera A31c Firmware | 2024-02-10 | N/A | 9.8 CRITICAL |
| An issue in Blurams Lumi Security Camera (A31C) v23.0406.435.4120 allows attackers to execute arbitrary code. | |||||
| CVE-2023-51820 | 1 Blurams | 2 Lumi Security Camera A31c, Lumi Security Camera A31c Firmware | 2024-02-10 | N/A | 6.8 MEDIUM |
| An issue in Blurams Lumi Security Camera (A31C) v.2.3.38.12558 allows a physically proximate attackers to execute arbitrary code. | |||||
| CVE-2024-22533 | 1 Xiandafu | 1 Beetl | 2024-02-10 | N/A | 9.8 CRITICAL |
| Before Beetl v3.15.12, the rendering template has a server-side template injection (SSTI) vulnerability. When the incoming template is controllable, it will be filtered by the DefaultNativeSecurityManager blacklist. Because blacklist filtering is not strict, the blacklist can be bypassed, leading to arbitrary code execution. | |||||
| CVE-2021-22282 | 1 Br-automation | 1 Automation Studio | 2024-02-10 | N/A | 7.8 HIGH |
| Improper Control of Generation of Code ('Code Injection') vulnerability in B&R Industrial Automation Automation Studio allows Local Execution of Code.This issue affects Automation Studio: from 4.0 through 4.12. | |||||
| CVE-2024-0325 | 1 Perforce | 1 Helix Sync | 2024-02-09 | N/A | 7.8 HIGH |
| In Helix Sync versions prior to 2024.1, a local command injection was identified. Reported by Bryan Riggins. | |||||
| CVE-2023-37518 | 1 Hcltech | 1 Bigfix Servicenow Data Flow | 2024-02-05 | N/A | 8.8 HIGH |
| HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user. | |||||
| CVE-2023-37470 | 1 Metabase | 1 Metabase | 2024-02-05 | N/A | 9.8 CRITICAL |
| Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. Versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4 fix this issue by removing the ability of users to add H2 databases entirely. As a workaround, it is possible to block these vulnerabilities at the network level by blocking the endpoints `POST /api/database`, `PUT /api/database/:id`, and `POST /api/setup/validateuntil`. Those who use H2 as a file-based database should migrate to SQLite. | |||||
| CVE-2022-41264 | 1 Sap | 1 Basis | 2024-02-05 | N/A | 8.8 HIGH |
| Due to the unrestricted scope of the RFC function module, SAP BASIS - versions 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 789, 790, 791, allows an authenticated non-administrator attacker to access a system class and execute any of its public methods with parameters provided by the attacker. On successful exploitation the attacker can have full control of the system to which the class belongs, causing a high impact on the integrity of the application. | |||||
| CVE-2023-50721 | 1 Xwiki | 1 Xwiki | 2024-02-05 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in 4.5-rc-1 and prior to versions 14.10.15, 15.5.2, and 15.7-rc-1, the search administration interface doesn't properly escape the id and label of search user interface extensions, allowing the injection of XWiki syntax containing script macros including Groovy macros that allow remote code execution, impacting the confidentiality, integrity and availability of the whole XWiki instance. This attack can be executed by any user who can edit some wiki page like the user's profile (editable by default) as user interface extensions that will be displayed in the search administration can be added on any document by any user. The necessary escaping has been added in XWiki 14.10.15, 15.5.2 and 15.7RC1. As a workaround, the patch can be applied manually applied to the page `XWiki.SearchAdmin`. | |||||
| CVE-2023-5512 | 1 Gitlab | 1 Gitlab | 2024-02-05 | N/A | 5.7 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 16.3 before 16.4.4, all versions starting from 16.5 before 16.5.4, all versions starting from 16.6 before 16.6.2. File integrity may be compromised when specific HTML encoding is used for file names leading for incorrect representation in the UI. | |||||