Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7694 | 1 Getsymphony | 1 Symphony | 2020-08-25 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution vulnerability in symphony/content/content.blueprintsdatasources.php in Symphony CMS through 2.6.11 allows remote attackers to execute code and get a webshell from the back-end. The attacker must be authenticated and enter PHP code in the datasource editor or event editor. | |||||
| CVE-2019-15318 | 1 Yikesinc | 1 Easy Forms For Mailchimp | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The yikes-inc-easy-mailchimp-extender plugin before 6.5.3 for WordPress has code injection via the admin input field. | |||||
| CVE-2019-17309 | 1 Sugarcrm | 1 Sugarcrm | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user. | |||||
| CVE-2018-1808 | 1 Ibm | 1 Websphere Commerce | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828. | |||||
| CVE-2019-14965 | 1 Frappe | 1 Frappe | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Frappe Framework 10 through 12 before 12.0.4. A server side template injection (SSTI) issue exists. | |||||
| CVE-2019-17302 | 1 Sugarcrm | 1 Sugarcrm | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. | |||||
| CVE-2019-11594 | 1 Getadblock | 1 Adblock | 2020-08-24 | 6.8 MEDIUM | 8.1 HIGH |
| In AdBlock before 3.45.0, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect. | |||||
| CVE-2019-19909 | 1 Sfu | 1 Open Journal System | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used. | |||||
| CVE-2018-21005 | 1 Bbpress Move Topics Project | 1 Bbpress Move Topics | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| The bbp-move-topics plugin before 1.1.6 for WordPress has code injection. | |||||
| CVE-2019-17301 | 1 Sugarcrm | 1 Sugarcrm | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user. | |||||
| CVE-2018-7951 | 1 Huawei | 40 1288h V5, 1288h V5 Firmware, 2288h V5 and 37 more | 2020-08-24 | 9.0 HIGH | 8.8 HIGH |
| The iBMC (Intelligent Baseboard Management Controller) of some Huawei servers have a JSON injection vulnerability due to insufficient input validation. An authenticated, remote attacker can launch a JSON injection to modify the password of administrator. Successful exploit may allow attackers to obtain the management privilege of the system. | |||||
| CVE-2019-11642 | 1 Oneshield | 1 Oneshield Policy | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A log poisoning vulnerability has been discovered in the OneShield Policy (Dragon Core) framework before 5.1.10. Authenticated remote adversaries can poison log files by entering malicious payloads in either headers or form elements. These payloads are then executed via a client side debugging console. This is predicated on the debugging console and Java Bean being made available to the deployed application. | |||||
| CVE-2019-17310 | 1 Sugarcrm | 1 Sugarcrm | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user. | |||||
| CVE-2019-17304 | 1 Sugarcrm | 1 Sugarcrm | 2020-08-24 | 6.5 MEDIUM | 7.2 HIGH |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. | |||||
| CVE-2019-5509 | 1 Netapp | 1 Ontap Select Deploy Administration Utility | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account. | |||||
| CVE-2018-1000070 | 1 Bitmessage | 1 Pybitmessage | 2020-08-24 | 6.8 MEDIUM | 8.8 HIGH |
| Bitmessage PyBitmessage version v0.6.2 (and introduced in or after commit 8ce72d8d2d25973b7064b1cf76a6b0b3d62f0ba0) contains a Eval injection vulnerability in main program, file src/messagetypes/__init__.py function constructObject that can result in Code Execution. This attack appears to be exploitable via remote attacker using a malformed message which must be processed by the victim - e.g. arrive from any sender on bitmessage network. This vulnerability appears to have been fixed in v0.6.3. | |||||
| CVE-2019-16885 | 1 Okay-cms | 1 Okaycms | 2020-08-24 | 7.5 HIGH | 9.8 CRITICAL |
| In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the cookie price_filter, and second in api/Comparison.php via the cookie comparison. | |||||
| CVE-2019-15388 | 1 Coolpad | 2 Mega 5, Mega 5 Firmware | 2020-08-24 | 9.3 HIGH | 8.1 HIGH |
| The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more. | |||||
| CVE-2018-1133 | 1 Moodle | 1 Moodle | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Moodle 3.x. A Teacher creating a Calculated question can intentionally cause remote code execution on the server, aka eval injection. | |||||
| CVE-2019-7871 | 1 Magento | 1 Magento | 2020-08-24 | 6.5 MEDIUM | 8.8 HIGH |
| A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection. | |||||