Total
3575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-30130 | 1 Craftcms | 1 Craft Cms | 2024-02-04 | N/A | 8.8 HIGH |
| An issue found in CraftCMS v.3.8.1 allows a remote attacker to execute arbitrary code via a crafted script to the Section parameter. | |||||
| CVE-2022-38745 | 1 Apache | 1 Openoffice | 2024-02-04 | N/A | 7.8 HIGH |
| Apache OpenOffice versions before 4.1.14 may be configured to add an empty entry to the Java class path. This may lead to run arbitrary Java code from the current directory. | |||||
| CVE-2020-36708 | 3 Colorlib, Cpothemes, Machothemes | 16 Activello, Bonkers, Illdy and 13 more | 2024-02-04 | N/A | 9.8 CRITICAL |
| The following themes for WordPress are vulnerable to Function Injections in versions up to and including Shapely <= 1.2.7, NewsMag <= 2.4.1, Activello <= 1.4.0, Illdy <= 2.1.4, Allegiant <= 1.2.2, Newspaper X <= 1.3.1, Pixova Lite <= 2.0.5, Brilliance <= 1.2.7, MedZone Lite <= 1.2.4, Regina Lite <= 2.0.4, Transcend <= 1.1.8, Affluent <= 1.1.0, Bonkers <= 1.0.4, Antreas <= 1.0.2, Sparkling <= 2.4.8, and NatureMag Lite <= 1.0.4. This is due to epsilon_framework_ajax_action. This makes it possible for unauthenticated attackers to call functions and achieve remote code execution. | |||||
| CVE-2023-2259 | 1 Alf | 1 Alf | 2024-02-04 | N/A | 7.2 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
| CVE-2023-2943 | 1 Open-emr | 1 Openemr | 2024-02-04 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-1250 | 1 Otrs | 1 Otrs | 2024-02-04 | N/A | 7.8 HIGH |
| Improper Input Validation vulnerability in OTRS AG OTRS (ACL modules), OTRS AG ((OTRS)) Community Edition (ACL modules) allows Local Execution of Code. When creating/importing an ACL it was possible to inject code that gets executed via manipulated comments and ACL-names This issue affects OTRS: from 7.0.X before 7.0.42, from 8.0.X before 8.0.31; ((OTRS)) Community Edition: from 6.0.1 through 6.0.34. | |||||
| CVE-2023-2017 | 1 Shopware | 1 Shopware | 2024-02-04 | N/A | 8.8 HIGH |
| Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. | |||||
| CVE-2023-29402 | 2 Fedoraproject, Golang | 2 Fedora, Go | 2024-02-04 | N/A | 9.8 CRITICAL |
| The go command may generate unexpected code at build time when using cgo. This may result in unexpected behavior when running a go program which uses cgo. This may occur when running an untrusted module which contains directories with newline characters in their names. Modules which are retrieved using the go command, i.e. via "go get", are not affected (modules retrieved using GOPATH-mode, i.e. GO111MODULE=off, may be affected). | |||||
| CVE-2023-25953 | 1 Worksmobile | 1 Drive Explorer | 2024-02-04 | N/A | 9.8 CRITICAL |
| Code injection vulnerability in Drive Explorer for macOS versions 3.5.4 and earlier allows an attacker who can login to the client where the affected product is installed to inject arbitrary code while processing the product execution. Since a full disk access privilege is required to execute LINE WORKS Drive Explorer, the attacker may be able to read and/or write to arbitrary files without the access privileges. | |||||
| CVE-2023-37199 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2024-02-04 | N/A | 7.2 HIGH |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | |||||
| CVE-2023-1178 | 1 Gitlab | 1 Gitlab | 2024-02-04 | N/A | 5.7 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. | |||||
| CVE-2020-20918 | 1 Pluck-cms | 1 Pluck | 2024-02-04 | N/A | 7.2 HIGH |
| An issue discovered in Pluck CMS v.4.7.10-dev2 allows a remote attacker to execute arbitrary php code via the hidden parameter to admin.php when editing a page. | |||||
| CVE-2022-35743 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2024-02-04 | N/A | 7.8 HIGH |
| Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | |||||
| CVE-2023-30537 | 1 Xwiki | 1 Xwiki | 2024-02-04 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-23912 | 1 Ui | 20 Er-10x, Er-10x Firmware, Er-12 and 17 more | 2024-02-04 | N/A | 8.8 HIGH |
| A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability. | |||||
| CVE-2022-46157 | 1 Akeneo | 1 Product Information Management | 2024-02-04 | N/A | 8.8 HIGH |
| Akeneo PIM is an open source Product Information Management (PIM). Akeneo PIM Community Edition versions before v5.0.119 and v6.0.53 allows remote authenticated users to execute arbitrary PHP code on the server by uploading a crafted image. Akeneo PIM Community Edition after the versions aforementioned provides patched Apache HTTP server configuration file, for docker setup and in documentation sample, to fix this vulnerability. Community Edition users must change their Apache HTTP server configuration accordingly to be protected. The patch for Cloud Based Akeneo PIM Services customers has been applied since 30th October 2022. Users are advised to upgrade. Users unable to upgrade may Replace any reference to `<FilesMatch \.php$>` in their apache httpd configurations with: `<Location "/index.php">`. | |||||
| CVE-2023-1283 | 1 Builder | 1 Qwik | 2024-02-04 | N/A | 9.8 CRITICAL |
| Code Injection in GitHub repository builderio/qwik prior to 0.21.0. | |||||
| CVE-2022-46166 | 1 Codecentric | 1 Spring Boot Admin | 2024-02-04 | N/A | 9.8 CRITICAL |
| Spring boot admins is an open source administrative user interface for management of spring boot applications. All users who run Spring Boot Admin Server, having enabled Notifiers (e.g. Teams-Notifier) and write access to environment variables via UI are affected. Users are advised to upgrade to the most recent releases of Spring Boot Admin 2.6.10 and 2.7.8 to resolve this issue. Users unable to upgrade may disable any notifier or disable write access (POST request) on `/env` actuator endpoint. | |||||
| CVE-2022-45907 | 1 Linuxfoundation | 1 Pytorch | 2024-02-04 | N/A | 9.8 CRITICAL |
| In PyTorch before trunk/89695, torch.jit.annotations.parse_type_line can cause arbitrary code execution because eval is used unsafely. | |||||
| CVE-2023-24576 | 1 Dell | 1 Emc Networker | 2024-02-04 | N/A | 9.8 CRITICAL |
| EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the NetWorker Client execution service (nsrexecd) irrespective of any auth used. | |||||