Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2021-24721 | 1 Loco Translate Project | 1 Loco Translate | 2021-11-10 | 4.0 MEDIUM | 6.5 MEDIUM |
| The Loco Translate WordPress plugin before 2.5.4 mishandles data inputs which get saved to a file, which can be renamed to an extension ending in .php, resulting in authenticated "translator" users being able to inject PHP code into files ending with .php in web accessible locations. | |||||
| CVE-2021-42057 | 1 Obsidian | 1 Obsidian Dataview | 2021-11-08 | 9.3 HIGH | 7.8 HIGH |
| Obsidian Dataview through 0.4.12-hotfix1 allows eval injection. The evalInContext function in executes user input, which allows an attacker to craft malicious Markdown files that will execute arbitrary code once opened. NOTE: 0.4.13 provides a mitigation for some use cases. | |||||
| CVE-2021-43281 | 1 Mybb | 1 Mybb | 2021-11-05 | 6.5 MEDIUM | 7.2 HIGH |
| MyBB before 1.8.29 allows Remote Code Injection by an admin with the "Can manage settings?" permission. The Admin CP's Settings management module does not validate setting types correctly on insertion and update, making it possible to add settings of supported type "php" with PHP code, executed on Change Settings pages. | |||||
| CVE-2021-42754 | 1 Fortinet | 1 Forticlient | 2021-11-04 | 3.5 LOW | 5.0 MEDIUM |
| An improper control of generation of code vulnerability [CWE-94] in FortiClientMacOS versions 7.0.0 and below and 6.4.5 and below may allow an authenticated attacker to hijack the MacOS camera without the user permission via the malicious dylib file. | |||||
| CVE-2021-42139 | 1 Deno | 1 Deno Standard Modules | 2021-11-04 | 6.8 MEDIUM | 9.8 CRITICAL |
| Deno Standard Modules before 0.107.0 allows Code Injection via an untrusted YAML file in certain configurations. | |||||
| CVE-2021-41619 | 1 Gradle | 1 Enterprise | 2021-11-03 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application. | |||||
| CVE-2019-15599 | 1 Tree-kill Project | 1 Tree-kill | 2021-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | |||||
| CVE-2019-15597 | 1 Node-df Project | 1 Node-df | 2021-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input. | |||||
| CVE-2020-23037 | 1 Portable | 1 Playable | 2021-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||||
| CVE-2021-22961 | 1 Glasswire | 1 Glasswire | 2021-10-21 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution. | |||||
| CVE-2021-40889 | 1 Cmsuno Project | 1 Cmsuno | 2021-10-19 | 7.5 HIGH | 9.8 CRITICAL |
| CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully changed their password. The attacker can inject malicious PHP code into password.php and then use the login function to execute code. | |||||
| CVE-2021-40499 | 1 Sap | 1 Netweaver Application Server Abap | 2021-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2018-17207 | 1 Snapcreek | 1 Duplicator | 2021-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. | |||||
| CVE-2021-40323 | 1 Cobbler Project | 1 Cobbler | 2021-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | |||||
| CVE-2013-3630 | 1 Moodle | 1 Moodle | 2021-10-12 | 4.6 MEDIUM | N/A |
| Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. | |||||
| CVE-2021-33693 | 1 Sap | 1 Cloud Connector | 2021-09-27 | 7.7 HIGH | 6.8 MEDIUM |
| SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution. | |||||
| CVE-2021-40373 | 1 Playsms | 1 Playsms | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI. | |||||
| CVE-2021-39503 | 1 Phpmywind | 1 Phpmywind | 2021-09-14 | 6.5 MEDIUM | 7.2 HIGH |
| PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file. | |||||
| CVE-2021-37694 | 1 Asyncapi | 1 Java-spring-cloud-stream-template | 2021-09-13 | 6.8 MEDIUM | 7.8 HIGH |
| @asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream (SCSt) microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to update. | |||||
| CVE-2019-4000 | 2 Apple, Druva | 2 Macos, Insync | 2021-09-08 | 7.2 HIGH | 7.8 HIGH |
| Improper neutralization of directives in dynamically evaluated code in Druva inSync Mac OS Client 6.5.0 allows a local, authenticated attacker to execute arbitrary Python expressions with root privileges. | |||||