Total
3574 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18573 | 1 Oscommerce | 1 Oscommerce | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| osCommerce 2.3.4.1 has an incomplete '.htaccess' for blacklist filtering in the "product" page. Remote authenticated administrators can upload new '.htaccess' files (e.g., omitting .php) and subsequently achieve arbitrary PHP code execution via a /catalog/admin/categories.php?cPath=&action=new_product URI. | |||||
| CVE-2019-13354 | 1 Strong Password Project | 1 Strong Password | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6. | |||||
| CVE-2013-7468 | 1 Simplemachines | 1 Simple Machines Forum | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
| Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter. | |||||
| CVE-2019-14965 | 1 Frappe | 1 Frappe | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. | |||||
| CVE-2019-12844 | 1 Jetbrains | 1 Teamcity | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3. | |||||
| CVE-2018-6498 | 1 Microfocus | 5 Data Center Automation, Hybrid Cloud Management, Network Operations Management and 2 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution. | |||||
| CVE-2018-19595 | 1 Pbootcms | 1 Pbootcms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect apps\home\controller\ParserController.php parserIfLabel protection mechanism. | |||||
| CVE-2018-17134 | 1 Phpmywind | 1 Phpmywind | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field. | |||||
| CVE-2018-20768 | 1 Xerox | 58 Workcentre 3655, Workcentre 3655 Firmware, Workcentre 3655i and 55 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file. | |||||
| CVE-2018-0675 | 1 Hibara | 1 Attachecase | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script execution via unspecified vectors. | |||||
| CVE-2018-19053 | 1 Pbootcms | 1 Pbootcms | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| PbootCMS 1.2.2 allows remote attackers to execute arbitrary PHP code by specifying a .php filename in a "SET GLOBAL general_log_file" statement, followed by a SELECT statement containing this PHP code. | |||||
| CVE-2018-18461 | 1 Kibokolabs | 1 Arigato Autoresponder And Newsletter | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The Arigato Autoresponder and Newsletter (aka bft-autoresponder) v2.5.1.7 plugin for WordPress allows remote attackers to execute arbitrary code via PHP code in attachments[] data to models/attachment.php. | |||||
| CVE-2019-7692 | 1 Cim Project | 1 Cim | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| install/install.php in CIM 0.9.3 allows remote attackers to execute arbitrary PHP code via a crafted prefix value because of configuration file mishandling in the N=83 case, as demonstrated by a call to the PHP fputs function that creates a .php file in the public folder. | |||||
| CVE-2014-2302 | 1 Webedition | 1 Webedition Cms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org. | |||||
| CVE-2018-18892 | 1 1234n | 1 Minicms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the site_name field in mc_conf.php. | |||||
| CVE-2018-14421 | 1 Seacms | 1 Seacms | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF. | |||||
| CVE-2019-8942 | 2 Debian, Wordpress | 2 Debian Linux, Wordpress | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can execute arbitrary code by uploading a crafted image containing PHP code in the Exif metadata. Exploitation can leverage CVE-2019-8943. | |||||
| CVE-2018-11780 | 4 Apache, Canonical, Debian and 1 more | 4 Spamassassin, Ubuntu Linux, Debian Linux and 1 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2. | |||||
| CVE-2019-0247 | 1 Sap | 1 Cloud Connector | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2018-1808 | 1 Ibm | 1 Websphere Commerce | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828. | |||||