Total
3569 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2018-8284 | 1 Microsoft | 13 .net Framework, Project Server, Sharepoint Enterprise Server and 10 more | 2024-02-04 | 9.3 HIGH | 8.1 HIGH |
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2. | |||||
CVE-2017-1242 | 1 Ibm | 2 Rational Collaborative Lifecycle Management, Rational Quality Manager | 2024-02-04 | 3.5 LOW | 5.4 MEDIUM |
IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 124524. | |||||
CVE-2017-16082 | 1 Node-postgres | 1 Pg | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
A remote code execution vulnerability was found within the pg module when the remote database or query specifies a specially crafted column name. There are 2 likely scenarios in which one would likely be vulnerable. 1) Executing unsafe, user-supplied sql which contains a malicious column name. 2) Connecting to an untrusted database and executing a query which returns results where any of the column names are malicious. | |||||
CVE-2016-10541 | 1 Shell-quote Project | 1 Shell-quote | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection. | |||||
CVE-2016-10546 | 1 Pouchdb | 1 Pouchdb | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
An arbitrary code injection vector was found in PouchDB 6.0.4 and lesser via the map/reduce functions used in PouchDB temporary views and design documents. The code execution engine for this branch is not properly sandboxed and may be used to run arbitrary JavaScript as well as system commands. | |||||
CVE-2018-7951 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2024-02-04 | 9.0 HIGH | 8.8 HIGH |
The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system. | |||||
CVE-2018-7466 | 1 Testlink | 1 Testlink | 2024-02-04 | 6.0 MEDIUM | 7.5 HIGH |
install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value. | |||||
CVE-2017-16020 | 1 Summit Project | 1 Summit | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Summit is a node web framework. When using the PouchDB driver in the module, Summit 0.1.0 and later allows an attacker to execute arbitrary commands via the collection name. | |||||
CVE-2018-10133 | 1 Pbootcms | 1 Pbootcms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
PbootCMS v0.9.8 allows PHP code injection via an IF label in index.php/About/6.html or admin.php/Site/index.html, related to the parserIfLabel function in \apps\home\controller\ParserController.php. | |||||
CVE-2018-10086 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
CMS Made Simple (CMSMS) through 2.2.7 contains an arbitrary code execution vulnerability in the admin dashboard because the implementation uses "eval('function testfunction'.rand()" and it is possible to bypass certain restrictions on these "testfunction" functions. | |||||
CVE-2018-8074 | 1 Yiiframework | 1 Yii | 2024-02-04 | 6.8 MEDIUM | 8.1 HIGH |
Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension. | |||||
CVE-2017-16670 | 1 Smartbear | 1 Soapui | 2024-02-04 | 6.8 MEDIUM | 7.8 HIGH |
The project import functionality in SoapUI 5.3.0 allows remote attackers to execute arbitrary Java code via a crafted request parameter in a WSDL project file. | |||||
CVE-2018-9848 | 1 Gxlcms | 1 Gxlcms Qy | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request. | |||||
CVE-2018-9174 | 1 Dedecms | 1 Dedecms | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control. | |||||
CVE-2018-6889 | 1 Typesettercms | 1 Typesetter | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
An issue was discovered in Typesetter 5.1. It suffers from a Host header injection vulnerability, Using this attack, a malicious user can poison the web cache or perform advanced password reset attacks or even trigger arbitrary user re-direction. | |||||
CVE-2018-10515 | 1 Cmsmadesimple | 1 Cms Made Simple | 2024-02-04 | 6.5 MEDIUM | 7.2 HIGH |
In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive. | |||||
CVE-2018-8073 | 1 Yiiframework | 1 Yii | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension. | |||||
CVE-2018-5779 | 1 Mitel | 2 Connect Onsite, St14.2 | 2024-02-04 | 10.0 HIGH | 9.8 CRITICAL |
A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application. | |||||
CVE-2017-10835 | 1 Nippon-antenna | 2 Scr02hd, Scr02hd Firmware | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors. | |||||
CVE-2016-5713 | 1 Puppet | 1 Puppet Agent | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
Versions of Puppet Agent prior to 1.6.0 included a version of the Puppet Execution Protocol (PXP) agent that passed environment variables through to Puppet runs. This could allow unauthorized code to be loaded. This bug was first introduced in Puppet Agent 1.3.0. |