Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-27866 | 1 Ibm | 1 Informix Jdbc Driver | 2023-07-06 | N/A | 9.8 CRITICAL |
| IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Force ID: 249511. | |||||
| CVE-2008-6531 | 1 Atlassian | 1 Jira | 2023-07-06 | 6.8 MEDIUM | N/A |
| The WebWork 1 web application framework in Atlassian JIRA before 3.13.2 allows remote attackers to invoke exposed public JIRA methods via a crafted URL that is dynamically transformed into method calls, aka "WebWork 1 Parameter Injection Hole." | |||||
| CVE-2023-3393 | 1 Fossbilling | 1 Fossbilling | 2023-06-30 | N/A | 7.2 HIGH |
| Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. | |||||
| CVE-2023-35150 | 1 Xwiki | 1 Xwiki | 2023-06-30 | N/A | 8.0 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8. | |||||
| CVE-2023-35152 | 1 Xwiki | 1 Xwiki | 2023-06-30 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually. | |||||
| CVE-2023-35926 | 1 Linuxfoundation | 1 Backstage | 2023-06-29 | N/A | 9.9 CRITICAL |
| Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`. | |||||
| CVE-2021-23277 | 1 Eaton | 3 Intelligent Power Manager, Intelligent Power Manager Virtual Appliance, Intelligent Power Protector | 2023-06-26 | 7.5 HIGH | 10.0 CRITICAL |
| Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated eval injection vulnerability. The software does not neutralize code syntax from users before using in the dynamic evaluation call in loadUserFile function under scripts/libs/utils.js. Successful exploitation can allow attackers to control the input to the function and execute attacker controlled commands. | |||||
| CVE-2021-34994 | 1 Commvault | 1 Commcell | 2023-06-26 | 6.5 MEDIUM | 8.8 HIGH |
| This vulnerability allows remote attackers to execute arbitrary code on affected installations of Commvault CommCell 11.22.22. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the DataProvider class. The issue results from the lack of proper validation of a user-supplied string before executing it as JavaScript code. An attacker can leverage this vulnerability to escape the JavaScript sandbox and execute Java code in the context of NETWORK SERVICE. Was ZDI-CAN-13755. | |||||
| CVE-2022-0323 | 1 Mustache Project | 1 Mustache | 2023-06-26 | 6.5 MEDIUM | 8.8 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in Packagist mustache/mustache prior to 2.14.1. | |||||
| CVE-2021-26622 | 2 Genians, Microsoft | 2 Genian Nac, Windows | 2023-06-26 | 10.0 HIGH | 10.0 CRITICAL |
| An remote code execution vulnerability due to SSTI vulnerability and insufficient file name parameter validation was discovered in Genian NAC. Remote attackers are able to execute arbitrary malicious code with SYSTEM privileges on all connected nodes in NAC through this vulnerability. | |||||
| CVE-2023-34251 | 1 Getgrav | 1 Grav | 2023-06-22 | N/A | 7.2 HIGH |
| Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. Version 1.7.42 contains a fix for this issue. | |||||
| CVE-2023-34448 | 1 Getgrav | 1 Grav | 2023-06-22 | N/A | 7.2 HIGH |
| Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions exposed by Twig's Core Extension that could be used to invoke arbitrary unsafe functions, thereby allowing for remote code execution. A patch in version 1.74.2 overrides the built-in Twig `map()` and `reduce()` filter functions in `system/src/Grav/Common/Twig/Extension/GravExtension.php` to validate the argument passed to the filter in `$arrow`. | |||||
| CVE-2023-1049 | 1 Schneider-electric | 2 Ecostruxure Operator Terminal Expert, Pro-face Blue | 2023-06-22 | N/A | 7.8 HIGH |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that could cause execution of malicious code when an unsuspicious user loads a project file from the local filesystem into the HMI. | |||||
| CVE-2023-0297 | 1 Pyload | 1 Pyload | 2023-06-15 | N/A | 9.8 CRITICAL |
| Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. | |||||
| CVE-2023-32540 | 1 Advantech | 1 Webaccess\/scada | 2023-06-12 | N/A | 9.8 CRITICAL |
| In Advantech WebAccss/SCADA v9.1.3 and prior, there is an arbitrary file overwrite vulnerability, which could allow an attacker to overwrite any file in the operating system (including system files), inject code into an XLS file, and modify the file extension, which could lead to arbitrary code execution. | |||||
| CVE-2022-35743 | 1 Microsoft | 16 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 13 more | 2023-06-07 | N/A | 7.8 HIGH |
| Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability | |||||
| CVE-2023-32692 | 1 Codeigniter | 1 Codeigniter | 2023-06-06 | N/A | 9.8 CRITICAL |
| CodeIgniter is a PHP full-stack web framework. This vulnerability allows attackers to execute arbitrary code when you use Validation Placeholders. The vulnerability exists in the Validation library, and validation methods in the controller and in-model validation are also vulnerable because they use the Validation library internally. This issue is patched in version 4.3.5. | |||||
| CVE-2023-2943 | 1 Open-emr | 1 Openemr | 2023-06-01 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository openemr/openemr prior to 7.0.1. | |||||
| CVE-2023-32697 | 1 Sqlite Jdbc Project | 1 Sqlite Jdbc | 2023-05-31 | N/A | 9.8 CRITICAL |
| SQLite JDBC is a library for accessing and creating SQLite database files in Java. Sqlite-jdbc addresses a remote code execution vulnerability via JDBC URL. This issue impacting versions 3.6.14.1 through 3.41.2.1 and has been fixed in version 3.41.2.2. | |||||
| CVE-2023-2859 | 1 Teampass | 1 Teampass | 2023-05-30 | N/A | 8.8 HIGH |
| Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||||