Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-28905 | 1 Nagios | 1 Fusion | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| Improper Input Validation in Nagios Fusion 4.1.8 and earlier allows an authenticated attacker to execute remote code via table pagination. | |||||
| CVE-2021-45806 | 1 Jpress | 1 Jpress | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| jpress v4.2.0 admin panel provides a function through which attackers can modify the template and inject some malicious code. | |||||
| CVE-2021-27230 | 1 Expressionengine | 1 Expressionengine | 2022-07-12 | 6.5 MEDIUM | 8.8 HIGH |
| ExpressionEngine before 5.4.2 and 6.x before 6.0.3 allows PHP Code Injection by certain authenticated users who can leverage Translate::save() to write to an _lang.php file under the system/user/language directory. | |||||
| CVE-2021-46063 | 1 Mingsoft | 1 Mcms | 2022-07-12 | 6.4 MEDIUM | 9.1 CRITICAL |
| MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module. | |||||
| CVE-2021-40084 | 1 Artixlinux | 1 Opensysusers | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| opensysusers through 0.6 does not safely use eval on files in sysusers.d that may contain shell metacharacters. For example, it allows command execution via a crafted GECOS field whereas systemd-sysusers (a program with the same specification) does not do that. | |||||
| CVE-2021-39383 | 1 Diaowen | 1 Dwsurvey | 2022-07-12 | 7.5 HIGH | 9.8 CRITICAL |
| DWSurvey v3.2.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /sysuser/SysPropertyAction.java. | |||||
| CVE-2022-2073 | 1 Getgrav | 1 Grav | 2022-07-08 | 6.5 MEDIUM | 7.2 HIGH |
| Code Injection in GitHub repository getgrav/grav prior to 1.7.34. | |||||
| CVE-2017-20099 | 1 Analytics Stats Counter Statistics Project | 1 Analytics Stats Counter Statistics | 2022-07-06 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability was found in Analytics Stats Counter Statistics Plugin 1.2.2.5 and classified as critical. This issue affects some unknown processing. The manipulation leads to code injection. The attack may be initiated remotely. | |||||
| CVE-2021-32756 | 1 Manageiq | 1 Manageiq | 2022-07-02 | 9.0 HIGH | 8.8 HIGH |
| ManageIQ is an open-source management platform. In versions prior to jansa-4, kasparov-2, and lasker-1, there is a flaw in the MiqExpression module of ManageIQ where a low privilege user could enter a crafted Ruby string which would be evaluated. Successful exploitation will allow an attacker to execute arbitrary code with root privileges on the host system. There are patches for this issue in releases named jansa-4, kasparov-2, and lasker-1. If possible, restrict users, via RBAC, to only the part of the application that they need access to. While MiqExpression is widely used throughout the product, restricting users can limit the surface of the attack. | |||||
| CVE-2021-32817 | 1 Express Handlebars Project | 1 Express Handlebars | 2022-07-02 | 4.3 MEDIUM | 6.8 MEDIUM |
| express-hbs is an Express handlebars template engine. express-hbs mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .hbs appended to them. For complete details refer to the referenced GHSL-2021-019 report. Notes in documentation have been added to help users of express-hbs avoid this potential information exposure vulnerability. | |||||
| CVE-2021-32820 | 1 Express Handlebars Project | 1 Express Handlebars | 2022-07-02 | 5.0 MEDIUM | 8.6 HIGH |
| Express-handlebars is a Handlebars view engine for Express. Express-handlebars mixes pure template data with engine configuration options through the Express render API. More specifically, the layout parameter may trigger file disclosure vulnerabilities in downstream applications. This potential vulnerability is somewhat restricted in that only files with existing extentions (i.e. file.extension) can be included, files that lack an extension will have .handlebars appended to them. For complete details refer to the referenced GHSL-2021-018 report. Notes in documentation have been added to help users avoid this potential information exposure vulnerability. | |||||
| CVE-2021-32822 | 1 Hbs Project | 1 Hbs | 2022-07-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| The npm hbs package is an Express view engine wrapper for Handlebars. Depending on usage, users of hbs may be vulnerable to a file disclosure vulnerability. There is currently no patch for this vulnerability. hbs mixes pure template data with engine configuration options through the Express render API. By overwriting internal configuration options a file disclosure vulnerability may be triggered in downstream applications. For an example PoC see the referenced GHSL-2021-020. | |||||
| CVE-2020-6318 | 1 Sap | 1 Abap Platform | 2022-07-01 | 6.5 MEDIUM | 7.2 HIGH |
| A Remote Code Execution vulnerability exists in the SAP NetWeaver (ABAP Server, up to release 7.40) and ABAP Platform (> release 7.40).Because of this, an attacker can exploit these products via Code Injection, and potentially enabling to take complete control of the products, including viewing, changing, or deleting data by injecting code into the working memory which is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the products to terminate. | |||||
| CVE-2017-20095 | 1 Simple Ads Manager Project | 1 Simple Ads Manager | 2022-06-30 | 7.5 HIGH | 9.8 CRITICAL |
| A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely. | |||||
| CVE-2017-20086 | 1 Automattic | 1 Vaultpress | 2022-06-29 | 6.0 MEDIUM | 7.5 HIGH |
| A vulnerability, which was classified as critical, was found in VaultPress Plugin 1.8.4. This affects an unknown part. The manipulation leads to code injection. It is possible to initiate the attack remotely. | |||||
| CVE-2021-41402 | 1 Flatcore | 1 Flatcore-cms | 2022-06-28 | 6.5 MEDIUM | 8.8 HIGH |
| flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code. | |||||
| CVE-2017-20064 | 1 Elefantcms | 1 Elefant Cms | 2022-06-27 | 6.5 MEDIUM | 8.8 HIGH |
| A vulnerability was found in Elefant CMS 1.3.12-RC. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /designer/add/layout. The manipulation leads to code injection. The attack can be launched remotely. Upgrading to version 1.3.13 is able to address this issue. It is recommended to upgrade the affected component. | |||||
| CVE-2021-39402 | 1 Maianmedia | 1 Maianaffiliate | 2022-06-27 | 6.5 MEDIUM | 7.2 HIGH |
| MaianAffiliate v.1.0 is suffers from code injection by adding a new product via the admin panel. The injected payload is reflected on the affiliate main page for all authenticated and unauthenticated visitors. | |||||
| CVE-2021-41749 | 1 Nystudio107 | 1 Seomatic | 2022-06-17 | 7.5 HIGH | 9.8 CRITICAL |
| In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side Template Injection, allowing for remote code execution. | |||||
| CVE-2022-24429 | 1 Convert-svg-core Project | 1 Convert-svg-core | 2022-06-17 | 6.8 MEDIUM | 7.8 HIGH |
| The package convert-svg-core before 0.6.3 are vulnerable to Arbitrary Code Injection when using a specially crafted SVG file. An attacker can read arbitrary files from the file system and then show the file content as a converted PNG file. | |||||