Total
3575 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-20601 | 1 Thinkcmf | 1 Thinkcmf | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue in ThinkCMF X2.2.2 and below allows attackers to execute arbitrary code via a crafted packet. | |||||
| CVE-2022-23120 | 2 Linux, Trendmicro | 2 Linux Kernel, Deep Security Agent | 2024-02-04 | 6.9 MEDIUM | 7.8 HIGH |
| A code injection vulnerability in Trend Micro Deep Security and Cloud One - Workload Security Agent for Linux version 20 and below could allow an attacker to escalate privileges and run arbitrary code in the context of root. Please note: an attacker must first obtain access to the target agent in an un-activated and unconfigured state in order to exploit this vulnerability. | |||||
| CVE-2021-34994 | 1 Commvault | 1 Commcell | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DataProvider class. The issue results from the lack of proper validation of a user-supplied string before executing it as JavaScript code. An attacker can leverage this vulnerability to escape the JavaScript sandbox and execute Java code in the context of NETWORK SERVICE. Was ZDI-CAN-13755. | |||||
| CVE-2020-23037 | 1 Portable | 1 Playable | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||||
| CVE-2021-37097 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2024-02-04 | 7.8 HIGH | 7.5 HIGH |
| There is a Code Injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to system restart. | |||||
| CVE-2021-42309 | 1 Microsoft | 3 Sharepoint Enterprise Server, Sharepoint Foundation, Sharepoint Server | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Microsoft SharePoint Server Remote Code Execution Vulnerability | |||||
| CVE-2021-22053 | 1 Vmware | 1 Spring Cloud Netflix | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Applications using both `spring-cloud-netflix-hystrix-dashboard` and `spring-boot-starter-thymeleaf` expose a way to execute code submitted within the request URI path during the resolution of view templates. When a request is made at `/hystrix/monitor;[user-provided data]`, the path elements following `hystrix/monitor` are being evaluated as SpringEL expressions, which can lead to code execution. | |||||
| CVE-2021-43811 | 1 Amazon | 1 Sockeye | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| Sockeye is an open-source sequence-to-sequence framework for Neural Machine Translation built on PyTorch. Sockeye uses YAML to store model and data configurations on disk. Versions below 2.3.24 use unsafe YAML loading, which can be made to execute arbitrary code embedded in config files. An attacker can add malicious code to the config file of a trained model and attempt to convince users to download and run it. If users run the model, the embedded code will run locally. The issue is fixed in version 2.3.24. | |||||
| CVE-2021-40323 | 1 Cobbler Project | 1 Cobbler | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | |||||
| CVE-2021-45029 | 1 Apache | 1 Shenyu | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||
| CVE-2021-43466 | 1 Thymeleaf | 1 Thymeleaf | 2024-02-04 | 6.8 MEDIUM | 9.8 CRITICAL |
| In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution. | |||||
| CVE-2021-43837 | 1 Vault-cli Project | 1 Vault-cli | 2024-02-04 | 9.0 HIGH | 9.1 CRITICAL |
| vault-cli is a configurable command-line interface tool (and python library) to interact with Hashicorp Vault. In versions before 3.0.0 vault-cli features the ability for rendering templated values. When a secret starts with the prefix `!template!`, vault-cli interprets the rest of the contents of the secret as a Jinja2 template. Jinja2 is a powerful templating engine and is not designed to safely render arbitrary templates. An attacker controlling a jinja2 template rendered on a machine can trigger arbitrary code, making this a Remote Code Execution (RCE) risk. If the content of the vault can be completely trusted, then this is not a problem. Otherwise, if your threat model includes cases where an attacker can manipulate a secret value read from the vault using vault-cli, then this vulnerability may impact you. In 3.0.0, the code related to interpreting vault templated secrets has been removed entirely. Users are advised to upgrade as soon as possible. For users unable to upgrade a workaround does exist. Using the environment variable `VAULT_CLI_RENDER=false` or the flag `--no-render` (placed between `vault-cli` and the subcommand, e.g. `vault-cli --no-render get-all`) or adding `render: false` to the vault-cli configuration yaml file disables rendering and removes the vulnerability. Using the python library, you can use: `vault_cli.get_client(render=False)` when creating your client to get a client that will not render templated secrets and thus operates securely. | |||||
| CVE-2020-21650 | 1 Myucms Project | 1 Myucms | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| Myucms v2.2.1 contains a remote code execution (RCE) vulnerability in the component \controller\Config.php, which can be exploited via the add() method. | |||||
| CVE-2022-22286 | 2 Google, Samsung | 2 Android, Bixby Routines | 2024-02-04 | 3.6 LOW | 7.1 HIGH |
| A vulnerability using PendingIntent in Bixby Routines prior to version 3.1.21.8 in Android R(11.0) and 2.6.30.5 in Android Q(10.0) allows attackers to execute privileged action by hijacking and modifying the intent. | |||||
| CVE-2021-40348 | 2 Spacewalk Project, Uyuni Project | 2 Spacewalk, Uyuni | 2024-02-04 | 9.3 HIGH | 8.8 HIGH |
| Spacewalk 2.10, and derivatives such as Uyuni 2021.08, allows code injection. rhn-config-satellite.pl doesn't sanitize the configuration filename used to append Spacewalk-specific key-value pair. The script is intended to be run by the tomcat user account with Sudo, according to the installation setup. This can lead to the ability of an attacker to use --option to append arbitrary code to a root-owned file that eventually will be executed by the system. This is fixed in Uyuni spacewalk-admin 4.3.2-1. | |||||
| CVE-2021-44734 | 1 Lexmark | 467 6500e, 6500e Firmware, B2236 and 464 more | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| Embedded web server input sanitization vulnerability in Lexmark devices through 2021-12-07, which can which can lead to remote code execution on the device. | |||||
| CVE-2021-44231 | 1 Sap | 2 Abap Platform, Netweaver As Abap | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Internally used text extraction reports allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2021-33493 | 1 Open-xchange | 1 Ox App Suite | 2024-02-04 | 3.6 LOW | 6.0 MEDIUM |
| The middleware component in OX App Suite through 7.10.5 allows Code Injection via Java classes in a YAML format. | |||||
| CVE-2020-21652 | 1 Myucms Project | 1 Myucms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Myucms v2.2.1 contains a remote code execution (RCE) vulnerability in the component \controller\Config.php, which can be exploited via the addqq() method. | |||||
| CVE-2021-43269 | 1 Code42 | 1 Code42 | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| In Code42 app before 8.8.0, eval injection allows an attacker to change a device’s proxy configuration to use a malicious proxy auto-config (PAC) file, leading to arbitrary code execution. This affects Incydr Basic, Advanced, and Gov F1; CrashPlan Cloud; and CrashPlan for Small Business. (Incydr Professional and Enterprise are unaffected.) | |||||