Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27869 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2023-08-03 | N/A | 8.8 HIGH |
| IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an unchecked logger injection. By sending a specially crafted request using the named traceFile property, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249517. | |||||
| CVE-2023-27867 | 5 Hp, Ibm, Linux and 2 more | 6 Hp-ux, Aix, Db2 and 3 more | 2023-08-03 | N/A | 8.8 HIGH |
| IBM Db2 JDBC Driver for Db2 for Linux, UNIX and Windows 10.5, 11.1, and 11.5 could allow a remote authenticated attacker to execute arbitrary code via JNDI Injection. By sending a specially crafted request using the property clientRerouteServerListJNDIName, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 249514. | |||||
| CVE-2022-2054 | 1 Nuitka | 1 Nuitka | 2023-08-02 | 7.2 HIGH | 7.8 HIGH |
| Code Injection in GitHub repository nuitka/nuitka prior to 0.9. | |||||
| CVE-2023-37274 | 1 Agpt | 1 Auto-gpt | 2023-07-27 | N/A | 7.8 HIGH |
| Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. When Auto-GPT is executed directly on the host system via the provided run.sh or run.bat files, custom Python code execution is sandboxed using a temporary dedicated docker container which should not have access to any files outside of the Auto-GPT workspace directory. Before v0.4.3, the `execute_python_code` command (introduced in v0.4.1) does not sanitize the `basename` arg before writing LLM-supplied code to a file with an LLM-supplied name. This allows for a path traversal attack that can overwrite any .py file outside the workspace directory by specifying a `basename` such as `../../../main.py`. This can further be abused to achieve arbitrary code execution on the host running Auto-GPT by e.g. overwriting autogpt/main.py which will be executed outside of the docker environment meant to sandbox custom python code execution the next time Auto-GPT is started. The issue has been patched in version 0.4.3. As a workaround, the risk introduced by this vulnerability can be remediated by running Auto-GPT in a virtual machine, or another environment in which damage to files or corruption of the program is not a critical problem. | |||||
| CVE-2023-37273 | 1 Agpt | 1 Auto-gpt | 2023-07-27 | N/A | 8.8 HIGH |
| Auto-GPT is an experimental open-source application showcasing the capabilities of the GPT-4 language model. Running Auto-GPT version prior to 0.4.3 by cloning the git repo and executing `docker compose run auto-gpt` in the repo root uses a different docker-compose.yml file from the one suggested in the official docker set up instructions. The docker-compose.yml file located in the repo root mounts itself into the docker container without write protection. This means that if malicious custom python code is executed via the `execute_python_file` and `execute_python_code` commands, it can overwrite the docker-compose.yml file and abuse it to gain control of the host system the next time Auto-GPT is started. The issue has been patched in version 0.4.3. | |||||
| CVE-2023-37565 | 1 Elecom | 10 Wrc-1167febk-a, Wrc-1167febk-a Firmware, Wrc-1167febk-s and 7 more | 2023-07-25 | N/A | 8.0 HIGH |
| Code injection vulnerability in ELECOM wireless LAN routers allows a network-adjacent authenticated attacker to execute arbitrary code by sending a specially crafted request. Affected products and versions are as follows: WRC-1167GHBK-S v1.03 and earlier, WRC-1167GEBK-S v1.03 and earlier, WRC-1167FEBK-S v1.04 and earlier, WRC-1167GHBK3-A v1.24 and earlier, and WRC-1167FEBK-A v1.18 and earlier. | |||||
| CVE-2022-29171 | 1 Sourcegraph | 1 Sourcegraph | 2023-07-21 | 6.0 MEDIUM | 7.2 HIGH |
| Sourcegraph is a fast and featureful code search and navigation engine. Versions before 3.38.0 are vulnerable to Remote Code Execution in the gitserver service. The Gitolite code host integration with Phabricator allows Sourcegraph site admins to specify a `callsignCommand`, which is used to obtain the Phabricator metadata for a Gitolite repository. An administrator who is able to edit or add a Gitolite code host and has administrative access to Sourcegraph’s bundled Grafana instance can change this command arbitrarily and run it remotely. This grants direct access to the infrastructure underlying the Sourcegraph installation. The attack requires: site-admin privileges on the instance of Sourcegraph, Administrative privileges on the bundled Grafana monitoring instance, Knowledge of the gitserver IP address or DNS name (if running in Kubernetes). This can be found through Grafana. The issue is patched in version 3.38.0. You may disable Gitolite code hosts. We still highly encourage upgrading regardless of workarounds. | |||||
| CVE-2023-24492 | 2 Canonical, Citrix | 2 Ubuntu Linux, Secure Access Client | 2023-07-20 | N/A | 8.8 HIGH |
| A vulnerability has been discovered in the Citrix Secure Access client for Ubuntu which, if exploited, could allow an attacker to remotely execute code if a victim user opens an attacker-crafted link and accepts further prompts. | |||||
| CVE-2023-37199 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-07-20 | N/A | 7.2 HIGH |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE tampers with backups which are then manually restored. | |||||
| CVE-2023-37198 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-07-19 | N/A | 7.2 HIGH |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause remote code execution when an admin user on DCE uploads or tampers with install packages. | |||||
| CVE-2023-37659 | 1 Xalpha Project | 1 Xalpha | 2023-07-18 | N/A | 9.8 CRITICAL |
| xalpha v0.11.4 is vulnerable to Remote Command Execution (RCE). | |||||
| CVE-2023-30990 | 1 Ibm | 1 I | 2023-07-17 | N/A | 9.8 CRITICAL |
| IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036. | |||||
| CVE-2023-3551 | 1 Teampass | 1 Teampass | 2023-07-14 | N/A | 7.2 HIGH |
| Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||||
| CVE-2023-36859 | 1 Piigab | 2 M-bus 900s, M-bus 900s Firmware | 2023-07-13 | N/A | 9.8 CRITICAL |
| PiiGAB M-Bus SoftwarePack 900S does not correctly sanitize user input, which could allow an attacker to inject arbitrary commands. | |||||
| CVE-2023-36992 | 1 Travianz Project | 1 Travianz | 2023-07-13 | N/A | 7.2 HIGH |
| PHP injection in TravianZ 8.3.4 and 8.3.3 in the config editor in the admin page allows remote attackers to execute PHP code. | |||||
| CVE-2019-5997 | 1 Panasonic | 1 Video Insight Vms | 2023-07-13 | 7.5 HIGH | 9.8 CRITICAL |
| Video Insight VMS versions prior to 7.6.1 allow remote attackers to conduct code injection attacks via unspecified vectors. | |||||
| CVE-2023-0090 | 1 Proofpoint | 1 Enterprise Protection | 2023-07-12 | N/A | 9.8 CRITICAL |
| The webservices in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows for an anonymous user to execute remote code through 'eval injection'. Exploitation requires network access to the webservices API, but such access is a non-standard configuration. This affects all versions 8.20.0 and below. | |||||
| CVE-2022-46333 | 1 Proofpoint | 1 Enterprise Protection | 2023-07-12 | N/A | 7.2 HIGH |
| The admin user interface in Proofpoint Enterprise Protection (PPS/PoD) contains a command injection vulnerability that enables an admin to execute commands beyond their allowed scope. This affects all versions 8.19.0 and below. | |||||
| CVE-2022-2636 | 1 Hestiacp | 1 Control Panel | 2023-07-12 | N/A | 8.8 HIGH |
| Improper Control of Generation of Code ('Code Injection') in GitHub repository hestiacp/hestiacp prior to 1.6.6. | |||||
| CVE-2023-36467 | 1 Amazon | 1 Aws-dataall | 2023-07-07 | N/A | 8.8 HIGH |
| AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around. | |||||