Total
3575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-2073 | 1 Getgrav | 1 Grav | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| Code Injection in GitHub repository getgrav/grav prior to 1.7.34. | |||||
| CVE-2022-29307 | 1 Ionizecms | 1 Ionize | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| IonizeCMS v1.0.8.1 was discovered to contain a command injection vulnerability via the function copy_lang_content in application/models/lang_model.php. | |||||
| CVE-2022-24663 | 1 Php Everywhere Project | 1 Php Everywhere | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. | |||||
| CVE-2021-38745 | 1 Chamilo | 1 Chamilo | 2024-02-04 | 4.6 MEDIUM | 6.8 MEDIUM |
| Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page. | |||||
| CVE-2022-29819 | 1 Jetbrains | 1 Intellij Idea | 2024-02-04 | 4.4 MEDIUM | 7.7 HIGH |
| In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible | |||||
| CVE-2021-22395 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-02-04 | 5.0 MEDIUM | 7.5 HIGH |
| There is a code injection vulnerability in smartphones. Successful exploitation of this vulnerability may affect service confidentiality. | |||||
| CVE-2022-24442 | 1 Jetbrains | 1 Youtrack | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. | |||||
| CVE-2021-43097 | 1 Diyhi | 1 Bbs | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| A Server-side Template Injection (SSTI) vulnerability exists in bbs 5.3 in TemplateManageAction.javawhich could let a malicoius user execute arbitrary code. | |||||
| CVE-2022-24295 | 1 Okta | 1 Advanced Server Access Client For Windows | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL. | |||||
| CVE-2022-25498 | 1 Cuppacms | 1 Cuppacms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| CuppaCMS v1.0 was discovered to contain a remote code execution (RCE) vulnerability via the saveConfigData function in /classes/ajax/Functions.php. | |||||
| CVE-2022-0896 | 1 Microweber | 1 Microweber | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository microweber/microweber prior to 1.3. | |||||
| CVE-2022-29221 | 3 Debian, Fedoraproject, Smarty | 3 Debian Linux, Fedora, Smarty | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. | |||||
| CVE-2021-40219 | 1 Bolt | 1 Bolt Cms | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution. | |||||
| CVE-2022-24828 | 3 Fedoraproject, Getcomposer, Tenable | 3 Fedora, Composer, Tenable.sc | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| Composer is a dependency manager for the PHP programming language. Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. This leads to a vulnerability on packagist.org for example where the composer.json's `readme` field can be used as a vector for injecting parameters into hg/Mercurial via the `$file` argument, or git via the `$identifier` argument if you allow arbitrary data there (Packagist does not, but maybe other integrators do). Composer itself should not be affected by the vulnerability as it does not call `getFileContent` with arbitrary data into `$file`/`$identifier`. To the best of our knowledge this was not abused, and the vulnerability has been patched on packagist.org and Private Packagist within a day of the vulnerability report. | |||||
| CVE-2021-44238 | 1 Ayacms Project | 1 Ayacms | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| AyaCMS 3.1.2 is vulnerable to Remote Code Execution (RCE) via /aya/module/admin/ust_tab_e.inc.php, | |||||
| CVE-2021-41402 | 1 Flatcore | 1 Flatcore-cms | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code. | |||||
| CVE-2022-0661 | 1 Ad Injection Project | 1 Ad Injection | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set. | |||||
| CVE-2022-22954 | 2 Linux, Vmware | 6 Linux Kernel, Cloud Foundation, Identity Manager and 3 more | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. | |||||
| CVE-2017-20095 | 1 Simple Ads Manager Project | 1 Simple Ads Manager | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely. | |||||
| CVE-2021-44618 | 1 Nystudio107 | 1 Seomatic | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12 in src/helpers/UrlHelper.php via the host header. | |||||