Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-0677 | 1 Ravenphpscripts | 1 Ravennuke | 2018-10-10 | 6.5 MEDIUM | N/A |
| avatarlist.php in the Your Account module, reached through modules.php, in Raven Web Services RavenNuke 2.30 allows remote authenticated users to execute arbitrary code via PHP sequences in an element of the replacements array, which is processed by the preg_replace function with the eval switch, as specified in an element of the patterns array. | |||||
| CVE-2009-0572 | 1 Flatnux | 1 Flatnux | 2018-10-10 | 5.1 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in include/flatnux.php in FlatnuX CMS (aka Flatnuke3) 2009-01-27 and 2009-02-04, when register_globals is enabled and magic_quotes_gpc disabled, allows remote attackers to execute arbitrary PHP code via a URL in the _FNROOTPATH parameter to (1) index.php and (2) filemanager.php. | |||||
| CVE-2016-2242 | 1 Exponentcms | 1 Exponent Cms | 2018-10-09 | 10.0 HIGH | 9.8 CRITICAL |
| Exponent CMS 2.x before 2.3.7 Patch 3 allows remote attackers to execute arbitrary code via the sc parameter to install/index.php. | |||||
| CVE-2015-8351 | 1 Gwolle Guestbook Project | 1 Gwolle Guestbook | 2018-10-09 | 6.8 MEDIUM | 9.0 CRITICAL |
| PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled. | |||||
| CVE-2015-5603 | 1 Atlassian | 1 Hipchat | 2018-10-09 | 6.5 MEDIUM | N/A |
| The HipChat for JIRA plugin before 6.30.0 for Atlassian JIRA allows remote authenticated users to execute arbitrary Java code via unspecified vectors, related to "Velocity Template Injection Vulnerability." | |||||
| CVE-2014-9185 | 1 Morfy Cms Project | 1 Morfy Cms | 2018-10-09 | 6.5 MEDIUM | N/A |
| Static code injection vulnerability in install.php in Morfy CMS 1.05 allows remote authenticated users to inject arbitrary PHP code into config.php via the site_url parameter. | |||||
| CVE-2014-8872 | 1 Avm | 4 Fritz\!box 6810 Lte, Fritz\!box 6810 Lte Firmware, Fritz\!box 6840 Lte and 1 more | 2018-10-09 | 9.3 HIGH | 7.8 HIGH |
| Improper Verification of Cryptographic Signature in AVM FRITZ!Box 6810 LTE after firmware 5.22, FRITZ!Box 6840 LTE after firmware 5.23, and other models with firmware 5.50. | |||||
| CVE-2014-8791 | 1 Enalean | 1 Tuleap | 2018-10-09 | 6.0 MEDIUM | N/A |
| project/register.php in Tuleap before 7.7, when sys_create_project_in_one_step is disabled, allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via the data parameter. | |||||
| CVE-2014-8778 | 1 Checkmarx | 1 Cxsast | 2018-10-09 | 9.0 HIGH | N/A |
| Checkmarx CxSAST (formerly CxSuite) before 7.1.8 allows remote authenticated users to bypass the CxQL sandbox protection mechanism and execute arbitrary C# code by asserting the (1) System.Security.Permissions.PermissionState.Unrestricted or (2) System.Security.Permissions.SecurityPermissionFlag.AllFlags permission. | |||||
| CVE-2014-8877 | 1 Creative Minds | 1 Cm Download Manager | 2018-10-09 | 10.0 HIGH | N/A |
| The alterSearchQuery function in lib/controllers/CmdownloadController.php in the CreativeMinds CM Downloads Manager plugin before 2.0.4 for WordPress allows remote attackers to execute arbitrary PHP code via the CMDsearch parameter to cmdownloads/, which is processed by the PHP create_function function. | |||||
| CVE-2014-8313 | 1 Sap | 1 Hana | 2018-10-09 | 6.0 MEDIUM | N/A |
| Eval injection in ide/core/base/server/net.xsjs in the Developer Workbench in SAP HANA allows remote attackers to execute arbitrary XSJX code via unspecified vectors. | |||||
| CVE-2014-8081 | 1 Testlink | 1 Testlink | 2018-10-09 | 7.5 HIGH | N/A |
| lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the filter_result_result parameter. | |||||
| CVE-2014-5340 | 1 Check Mk Project | 1 Check Mk | 2018-10-09 | 9.3 HIGH | N/A |
| The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL. | |||||
| CVE-2014-5297 | 1 X2engine | 1 X2engine | 2018-10-09 | 7.5 HIGH | N/A |
| The actionSendErrorReport method in protected/controllers/SiteController.php in X2Engine 2.8 through 4.1.7 allows remote attackers to conduct PHP object injection and Server-Side Request Forgery (SSRF) attacks via crafted serialized data in the report parameter. | |||||
| CVE-2014-2996 | 1 Xcloner | 1 Xcloner | 2018-10-09 | 7.1 HIGH | N/A |
| XCloner Standalone 3.5 and earlier, when enable_db_backup and sql_mem are enabled, allows remote authenticated administrators to execute arbitrary commands via shell metacharacters in the dbbackup_comp parameter in a generate action to index2.php. NOTE: it is not clear whether this issue crosses privilege boundaries, since administrators might already have the privileges to execute code. NOTE: this can be leveraged by remote attackers using CVE-2014-2579. | |||||
| CVE-2014-2988 | 1 Egroupware | 1 Egroupware | 2018-10-09 | 8.5 HIGH | N/A |
| EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987. | |||||
| CVE-2014-2177 | 1 Cisco | 7 Rv120w, Rv120w Firmware, Rv180 and 4 more | 2018-10-09 | 9.0 HIGH | N/A |
| The network-diagnostics administration interface in the Cisco RV router firmware on RV220W devices, before 1.0.5.9 on RV120W devices, and before 1.0.4.14 on RV180 and RV180W devices allows remote authenticated users to execute arbitrary commands via a crafted HTTP request, aka Bug ID CSCuh87126. | |||||
| CVE-2011-3828 | 1 Sunplus-tech | 1 Dvr Remote Activex Control | 2018-10-09 | 9.3 HIGH | N/A |
| DVRemoteAx.ax 2.1.0.39 in the DVR Remote ActiveX control allows remote attackers to execute arbitrary code via a crafted DVRobot.dll file in a manifest directory on a web server. | |||||
| CVE-2011-0487 | 1 Icq | 1 Icq | 2018-10-09 | 9.3 HIGH | N/A |
| ICQ 7 does not verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a crafted file that is fetched through an automatic-update mechanism. | |||||
| CVE-2011-0635 | 1 Simploo | 1 Simploo Cms | 2018-10-09 | 6.0 MEDIUM | N/A |
| Static code injection vulnerability in Simploo CMS 1.7.1 and earlier allows remote authenticated users to inject arbitrary PHP code into config/custom/base.ini.php via the ftpserver parameter (FTP-Server field) to the sicore/updates/optionssav operation for index.php. | |||||