Total
3574 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-4716 | 1 Ibm | 1 Planning Analytics | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. | |||||
| CVE-2019-17306 | 1 Sugarcrm | 1 Sugarcrm | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user. | |||||
| CVE-2019-20343 | 1 Mojohaus | 1 Exec Maven | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution via a crafted XML document because a configuration element (within a plugin element) can specify an arbitrary program in an executable element (and can also specify arbitrary command-line arguments in an arguments element). | |||||
| CVE-2013-4225 | 1 Restful Web Services Project | 1 Restful Web Services | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| The RESTful Web Services (restws) module 7.x-1.x before 7.x-1.4 and 7.x-2.x before 7.x-2.1 for Drupal does not properly restrict access to entity write operations, which makes it easier for remote authenticated users with the "access resource node" and "create page content" permissions (or equivalents) to conduct cross-site scripting (XSS) or execute arbitrary PHP code via a crafted text field. | |||||
| CVE-2019-10760 | 1 Safer-eval Project | 1 Safer-eval | 2024-02-04 | 6.5 MEDIUM | 9.9 CRITICAL |
| safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. | |||||
| CVE-2019-19502 | 1 Maleck | 1 Image Uploader And Browser For Ckeditor | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Code injection in pluginconfig.php in Image Uploader and Browser for CKEditor before 4.1.9 allows remote authenticated users to execute arbitrary PHP code. | |||||
| CVE-2018-21023 | 1 Centreon | 1 Centreon Web | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter. | |||||
| CVE-2019-15746 | 1 Sitos | 1 Sitos Six | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
| SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP commands. As a result, an attacker can compromise the running server and execute system commands in the context of the web user. | |||||
| CVE-2019-13714 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||||
| CVE-2019-17613 | 1 Qibosoft | 1 Qibosoft | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter. | |||||
| CVE-2019-3427 | 1 Zte | 2 Zxcdn Iamweb, Zxcdn Iamweb Firmware | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a code injection vulnerability. An attacker could exploit the vulnerability to inject malicious code into the management page, resulting in users’ information leakage. | |||||
| CVE-2019-15388 | 1 Coolpad | 2 Mega 5, Mega 5 Firmware | 2024-02-04 | 9.3 HIGH | 8.1 HIGH |
| The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more. | |||||
| CVE-2019-10684 | 1 74cms | 1 74cms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Application/Admin/Controller/ConfigController.class.php in 74cms v5.0.1 allows remote attackers to execute arbitrary PHP code via the index.php?m=Admin&c=config&a=edit site_domain parameter. | |||||
| CVE-2019-3759 | 1 Dell | 2 Rsa Identity Governance And Lifecycle, Rsa Via Lifecycle And Governance | 2024-02-04 | 5.5 MEDIUM | 8.1 HIGH |
| The RSA Identity Governance and Lifecycle software and RSA Via Lifecycle and Governance products prior to 7.1.0 P08 contain a code injection vulnerability. A remote authenticated malicious user could potentially exploit this vulnerability to run custom Groovy scripts to gain limited access to view or modify information on the Workflow system. | |||||
| CVE-2019-10173 | 2 Oracle, Xstream Project | 10 Banking Platform, Business Activity Monitoring, Communications Billing And Revenue Management Elastic Charging Engine and 7 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285) | |||||
| CVE-2019-14242 | 2 Bitdefender, Microsoft | 5 Antivirus Plus, Endpoint Security Tool, Internet Security and 2 more | 2024-02-04 | 7.2 HIGH | 6.7 MEDIUM |
| An issue was discovered in Bitdefender products for Windows (Bitdefender Endpoint Security Tool versions prior to 6.6.8.115; and Bitdefender Antivirus Plus, Bitdefender Internet Security, and Bitdefender Total Security versions prior to 23.0.24.120) that can lead to local code injection. A local attacker with administrator privileges can create a malicious DLL file in %SystemRoot%\System32\ that will be executed with local user privileges. | |||||
| CVE-2019-7539 | 1 Ipycache Project | 1 Ipycache | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A code injection issue was discovered in ipycache through 2016-05-31. | |||||
| CVE-2018-20896 | 1 Cpanel | 1 Cpanel | 2024-02-04 | 3.3 LOW | 3.9 LOW |
| cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394). | |||||
| CVE-2019-0091 | 1 Intel | 2 Converged Security And Management Engine, Trusted Execution Technology | 2024-02-04 | 7.2 HIGH | 7.8 HIGH |
| Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access. | |||||
| CVE-2019-14281 | 1 Datagrid Project | 1 Datagrid | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | |||||