Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2006-5045 | 1 Joomlaxt | 1 Com Pollxt | 2023-11-07 | 6.8 MEDIUM | N/A |
| Unspecified vulnerability in PollXT component (com_pollxt) 1.22.07 and earlier for Joomla! has unspecified impact and attack vectors, probably related to PHP remote file inclusion in the mosConfig_absolute_path to conf.pollxt.php. | |||||
| CVE-2006-5048 | 2 Joomla, Waltercedric | 2 Joomla\!, Com Securityimages | 2023-11-07 | 6.8 MEDIUM | N/A |
| Multiple PHP remote file inclusion vulnerabilities in Security Images (com_securityimages) component 3.0.5 and earlier for Joomla! allow remote attackers to execute arbitrary code via a URL in the mosConfig_absolute_path parameter in (1) configinsert.php, (2) lang.php, (3) client.php, and (4) server.php. | |||||
| CVE-2006-4074 | 1 Joomla | 1 Jd-wiki | 2023-11-07 | 6.8 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in lib/tpl/default/main.php in the JD-Wiki Component (com_jd-wiki) 1.0.2 and earlier for Joomla!, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | |||||
| CVE-2006-4130 | 1 Matt Smith | 1 Remository For Mambo | 2023-11-07 | 6.8 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in admin.remository.php in the Remository Component (com_remository) 3.25 and earlier for Mambo and Joomla!, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. | |||||
| CVE-2003-1500 | 1 Cpcommerce | 1 Cpcommerce | 2023-11-07 | 6.8 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in _functions.php in cpCommerce 0.5f allows remote attackers to execute arbitrary code via the prefix parameter. | |||||
| CVE-2002-2019 | 1 Oscommerce | 1 Oscommerce | 2023-11-07 | 7.5 HIGH | N/A |
| PHP remote file inclusion vulnerability in include_once.php in osCommerce (a.k.a. Exchange Project) 2.1 allows remote attackers to execute arbitrary PHP code via the include_file parameter. | |||||
| CVE-2002-1991 | 1 Oscommerce | 1 Oscommerce | 2023-11-07 | 7.5 HIGH | N/A |
| PHP file inclusion vulnerability in osCommerce 2.1 execute arbitrary commands via the include_file parameter to include_once.php. | |||||
| CVE-1999-0891 | 1 Microsoft | 1 Internet Explorer | 2023-11-07 | 5.0 MEDIUM | N/A |
| The "download behavior" in Internet Explorer 5 allows remote attackers to read arbitrary files via a server-side redirect. | |||||
| CVE-1999-0702 | 1 Microsoft | 1 Internet Explorer | 2023-11-07 | 10.0 HIGH | N/A |
| Internet Explorer 5.0 and 5.01 allows remote attackers to modify or execute files via the Import/Export Favorites feature, aka the "ImportExportFavorites" vulnerability. | |||||
| CVE-2000-0155 | 1 Microsoft | 3 Windows 95, Windows 98, Windows Nt | 2023-11-07 | 7.2 HIGH | N/A |
| Windows NT Autorun executes the autorun.inf file on non-removable media, which allows local attackers to specify an alternate program to execute when other users access a drive. | |||||
| CVE-1999-0491 | 1 Gnu | 1 Bash | 2023-11-07 | 4.6 MEDIUM | N/A |
| The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute. | |||||
| CVE-2021-29493 | 1 Kennnyshiwa-cogs Project | 1 Kennnyshiwa-cogs | 2023-11-06 | 6.5 MEDIUM | 8.8 HIGH |
| Kennnyshiwa-cogs contains cogs for Red Discordbot. An RCE exploit has been found in the Tickets module of kennnyshiwa-cogs. This exploit allows discord users to craft a message that can reveal sensitive and harmful information. Users can upgrade to version 5a84d60018468e5c0346f7ee74b2b4650a6dade7 to receive a patch or, as a workaround, unload tickets to render the exploit unusable. | |||||
| CVE-2023-43792 | 1 Basercms | 1 Basercms | 2023-11-06 | N/A | 9.8 CRITICAL |
| baserCMS is a website development framework. In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. As of time of publication, no known patched versions are available. | |||||
| CVE-2023-44141 | 1 Inkdrop | 1 Inkdrop | 2023-11-06 | N/A | 7.8 HIGH |
| Inkdrop prior to v5.6.0 allows a local attacker to conduct a code injection attack by having a legitimate user open a specially crafted markdown file. | |||||
| CVE-2023-37909 | 1 Xwiki | 1 Xwiki | 2023-10-31 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.8 and 15.3-rc-1 by adding proper escaping. As a workaround, the patch can be manually applied to the document `Menu.UIExtensionSheet`; only three lines need to be changed. | |||||
| CVE-2023-33229 | 1 Solarwinds | 1 Solarwinds Platform | 2023-10-30 | N/A | 3.5 LOW |
| The SolarWinds Platform was susceptible to the Incorrect Input Neutralization Vulnerability. This vulnerability allows a remote adversary with a valid SolarWinds Platform account to append URL parameters to inject passive HTML. | |||||
| CVE-2023-41898 | 1 Home-assistant | 1 Home Assistant Companion | 2023-10-26 | N/A | 7.8 HIGH |
| Home assistant is an open source home automation. The Home Assistant Companion for Android app up to version 2023.8.2 is vulnerable to arbitrary URL loading in a WebView. This enables all sorts of attacks, including arbitrary JavaScript execution, limited native code execution, and credential theft. This issue has been patched in version 2023.9.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as GitHub Security Lab (GHSL) Vulnerability Report: `GHSL-2023-142`. | |||||
| CVE-2023-1283 | 1 Builder | 1 Qwik | 2023-10-25 | N/A | 9.8 CRITICAL |
| Code Injection in GitHub repository builderio/qwik prior to 0.21.0. | |||||
| CVE-2019-10431 | 1 Jenkins | 1 Script Security | 2023-10-25 | 6.5 MEDIUM | 9.9 CRITICAL |
| A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts. | |||||
| CVE-2023-29453 | 1 Zabbix | 1 Zabbix-agent2 | 2023-10-24 | N/A | 9.8 CRITICAL |
| Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. With fix, Template. Parse returns an Error when it encounters templates like this, with an ErrorCode of value 12. This ErrorCode is currently unexported but will be exported in the release of Go 1.21. Users who rely on the previous behavior can re-enable it using the GODEBUG flag jstmpllitinterp=1, with the caveat that backticks will now be escaped. This should be used with caution. | |||||