Total
3574 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-16343 | 1 Seacms | 1 Seacms | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
| SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. | |||||
| CVE-2018-1999019 | 1 Chamilo | 1 Chamilo Lms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After commit 0de84700648f098c1fbf6b807dee28ec640efe62. | |||||
| CVE-2018-3784 | 1 Cryo Project | 1 Cryo | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization. | |||||
| CVE-2018-6012 | 1 Rainmachine | 2 Mini-8, Mini-8 Firmware | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The 'Weather Service' feature of the Green Electronics RainMachine Mini-8 (2nd generation) allows an attacker to inject arbitrary Python code via the 'Add new weather data source' upload function. | |||||
| CVE-2018-20605 | 1 Txjia | 1 Imcat | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| imcat 4.4 allows remote attackers to execute arbitrary PHP code by using root/run/adm.php to modify the boot/bootskip.php file. | |||||
| CVE-2018-0674 | 1 Hibara | 1 Attachecase | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
| AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script execution via unspecified vectors. | |||||
| CVE-2019-7720 | 1 Taogogo | 1 Taocms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2015-9272 | 1 Videowhisper | 1 Video Presentation | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code. | |||||
| CVE-2016-5402 | 1 Redhat | 2 Cloudforms, Cloudforms Management Engine | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
| A code injection flaw was found in the way capacity and utilization imported control files are processed. A remote, authenticated attacker with access to the capacity and utilization feature could use this flaw to execute arbitrary code as the user CFME runs as. | |||||
| CVE-2018-6499 | 1 Microfocus | 9 Autopass License Server, Data Center Automation, Hybrid Cloud Management and 6 more | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05, Service Virtualization (SV) with floating licenses using Any version using APLS older than 10.7, Unified Functional Testing (UFT) with floating licenses using Any version using APLS older than 10.7, Network Virtualization (NV) with floating licenses using Any version using APLS older than 10.7 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution. | |||||
| CVE-2018-18426 | 1 S-cms | 1 S-cms | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
| s-cms 3.0 allows remote attackers to execute arbitrary PHP code by placing this code in a crafted User-agent Disallow value in the robots.php txt parameter. | |||||
| CVE-2019-8908 | 1 Wtcms Project | 1 Wtcms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header. | |||||
| CVE-2019-0542 | 2 Redhat, Xtermjs | 2 Openshift Container Platform, Xterm.js | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A remote code execution vulnerability exists in Xterm.js when the component mishandles special characters, aka "Xterm Remote Code Execution Vulnerability." This affects xterm.js. | |||||
| CVE-2019-9227 | 1 Baigo | 1 Baigo Cms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file. | |||||
| CVE-2019-6289 | 1 Dedecms | 1 Dedecms | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by the 1.pHP filename. | |||||
| CVE-2016-9651 | 2 Google, Redhat | 4 Chrome, Enterprise Linux Desktop, Enterprise Linux Server and 1 more | 2024-02-04 | 6.8 MEDIUM | 8.8 HIGH |
| A missing check for whether a property of a JS object is private in V8 in Google Chrome prior to 55.0.2883.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. | |||||
| CVE-2019-6713 | 1 Thinkcmf | 1 Thinkcmf | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a file_put_contents call. | |||||
| CVE-2018-14579 | 1 Golemcms Project | 1 Golemcms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" form field, or obtain sensitive information via a direct request for install/install.sql. | |||||
| CVE-2018-15728 | 1 Couchbase | 1 Couchbase Server | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
| Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. Affects Version: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1. Fix Version: 6.0.0, 5.5.2 | |||||