Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-19089 | 1 Hitachienergy | 1 Esoms | 2023-05-16 | 4.3 MEDIUM | 6.1 MEDIUM |
| For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript. | |||||
| CVE-2023-2583 | 1 Jsreport | 1 Jsreport | 2023-05-12 | N/A | 10.0 CRITICAL |
| Code Injection in GitHub repository jsreport/jsreport prior to 3.11.3. | |||||
| CVE-2023-1178 | 1 Gitlab | 1 Gitlab | 2023-05-09 | N/A | 5.7 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 8.6 before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. File integrity may be compromised when source code or installation packages are pulled from a tag or from a release containing a ref to another commit. | |||||
| CVE-2023-2259 | 1 Alf | 1 Alf | 2023-05-03 | N/A | 7.2 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in GitHub repository alfio-event/alf.io prior to 2.0-M4-2304. | |||||
| CVE-2019-16255 | 4 Debian, Opensuse, Oracle and 1 more | 4 Debian Linux, Leap, Graalvm and 1 more | 2023-04-30 | 6.8 MEDIUM | 8.1 HIGH |
| Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. | |||||
| CVE-2023-2017 | 1 Shopware | 1 Shopware | 2023-04-28 | N/A | 8.8 HIGH |
| Server-side Template Injection (SSTI) in Shopware 6 (<= v6.4.20.0, v6.5.0.0-rc1 <= v6.5.0.0-rc4), affecting both shopware/core and shopware/platform GitHub repositories, allows remote attackers with access to a Twig environment without the Sandbox extension to bypass the validation checks in `Shopware\Core\Framework\Adapter\Twig\SecurityExtension` and call any arbitrary PHP function and thus execute arbitrary code/commands via usage of fully-qualified names, supplied as array of strings, when referencing callables. Users are advised to upgrade to v6.4.20.1 to resolve this issue. This is a bypass of CVE-2023-22731. | |||||
| CVE-2023-25549 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-04-27 | N/A | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows for remote code execution when using a parameter of the DCE network settings endpoint. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-25550 | 1 Schneider-electric | 1 Struxureware Data Center Expert | 2023-04-27 | N/A | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists that allows remote code execution via the “hostname” parameter when maliciously crafted hostname syntax is entered. Affected products: StruxureWare Data Center Expert (V7.9.2 and prior) | |||||
| CVE-2023-30537 | 1 Xwiki | 1 Xwiki | 2023-04-26 | N/A | 8.8 HIGH |
| XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the styles properties `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki versions 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-29214 | 1 Xwiki | 1 Xwiki | 2023-04-26 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the IncludedDocuments panel. The problem has been patched on XWiki 14.4.7, and 14.10. | |||||
| CVE-2023-29212 | 1 Xwiki | 1 Xwiki | 2023-04-26 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with edit rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the included pages in the included documents edit panel. The problem has been patched on XWiki 14.4.7, and 14.10. | |||||
| CVE-2023-29211 | 1 Xwiki | 1 Xwiki | 2023-04-26 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights `WikiManager.DeleteWiki` can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `wikiId` url parameter. The problem has been patched on XWiki 13.10.11, 14.4.7, and 14.10. | |||||
| CVE-2023-29209 | 1 Xwiki | 1 Xwiki | 2023-04-25 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the macro parameters of the legacy notification activity macro. This macro is installed by default in XWiki. The vulnerability can be exploited via every wiki page that is editable including the user's profile, but also with just view rights using the HTMLConverter that is part of the CKEditor integration which is bundled with XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-29210 | 1 Xwiki | 1 Xwiki | 2023-04-24 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the notification preferences macros can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the user parameter of the macro that provide the notification filters. These macros are used in the user profiles and thus installed by default in XWiki. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-29509 | 1 Xwiki | 1 Xwiki | 2023-04-24 | N/A | 8.8 HIGH |
| XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of the `documentTree` macro parameters in This macro is installed by default in `FlamingoThemesCode.WebHome`. This page is installed by default. The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10. | |||||
| CVE-2023-27897 | 1 Sap | 1 Customer Relationship Management | 2023-04-14 | N/A | 6.3 MEDIUM |
| In SAP CRM - versions 700, 701, 702, 712, 713, an attacker who is authenticated with a non-administrative role and a common remote execution authorization can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can can have limited impact on confidentiality and integrity of non-critical user or application data and application availability. | |||||
| CVE-2023-27893 | 1 Sap | 1 Solution Manager | 2023-04-11 | N/A | 8.8 HIGH |
| An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. | |||||
| CVE-2022-31161 | 1 Roxy-wi | 1 Roxy-wi | 2023-04-03 | N/A | 9.8 CRITICAL |
| Roxy-WI is a Web interface for managing HAProxy, Nginx and Keepalived servers. Prior to version 6.1.1.0, the system command can be run remotely via the subprocess_execute function without processing the inputs received from the user in the /app/options.py file. Version 6.1.1.0 contains a patch for this issue. | |||||
| CVE-2023-24835 | 1 Softnext | 1 Spam Sqr | 2023-04-03 | N/A | 7.2 HIGH |
| Softnext Technologies Corp.’s SPAM SQR has a vulnerability of Code Injection within its specific function. An authenticated remote attacker with administrator privilege can exploit this vulnerability to execute arbitrary system command to perform arbitrary system operation or disrupt service. | |||||
| CVE-2023-1367 | 1 Easyappointments | 1 Easyappointments | 2023-03-17 | N/A | 3.8 LOW |
| Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | |||||