Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-8180 | 1 Nextcloud | 1 Talk | 2020-06-11 | 6.5 MEDIUM | 9.9 CRITICAL |
| A too lax check in Nextcloud Talk 6.0.4, 7.0.2 and 8.0.7 allowed a code injection when a not correctly sanitized talk command was added by an administrator. | |||||
| CVE-2020-8149 | 1 Logkitty Project | 1 Logkitty | 2020-05-19 | 7.5 HIGH | 9.8 CRITICAL |
| Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1. | |||||
| CVE-2020-5739 | 1 Grandstream | 12 Gxp1610, Gxp1610 Firmware, Gxp1615 and 9 more | 2020-04-14 | 9.0 HIGH | 8.8 HIGH |
| Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker adds an OpenVPN up script to the phone's VPN settings via the "Additional Settings" field in the web interface. When the VPN's connection is established, the user defined script is executed with root privileges. | |||||
| CVE-2019-9163 | 1 Marchnetworks | 1 Command Client | 2020-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects. | |||||
| CVE-2020-5553 | 1 Mailform | 1 Mailform | 2020-03-27 | 10.0 HIGH | 9.8 CRITICAL |
| mailform version 1.04 allows remote attackers to execute arbitrary PHP code via unspecified vectors. | |||||
| CVE-2018-9113 | 1 Cdc | 1 Microbetrace | 2020-03-27 | 9.3 HIGH | 7.8 HIGH |
| Centers for Disease Control and Prevention MicrobeTRACE 0.1.12 allows remote attackers to execute arbitrary code, related to code injection via a crafted CSV file with an initial '><script type="text/javascript" src=' line. Fix released on 2018-03-29. | |||||
| CVE-2018-8974 | 1 Cdc | 1 Microbetrace | 2020-03-27 | 9.3 HIGH | 7.8 HIGH |
| Centers for Disease Control and Prevention MicrobeTRACE 0.1.11 allows remote attackers to execute arbitrary code, related to code injection via a crafted CSV file with an initial 'Source<script type="text/javascript" src=' line. Fix released on 2018-03-28. | |||||
| CVE-2020-6650 | 1 Eaton | 1 Ups Companion | 2020-03-27 | 5.8 MEDIUM | 8.8 HIGH |
| UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed. | |||||
| CVE-2020-7480 | 1 Schneider-electric | 22 Andover Continuum 5720, Andover Continuum 5720 Firmware, Andover Continuum 5740 and 19 more | 2020-03-25 | 7.5 HIGH | 9.8 CRITICAL |
| A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data. | |||||
| CVE-2020-8137 | 1 Blamer Project | 1 Blamer | 2020-03-25 | 7.5 HIGH | 9.8 CRITICAL |
| Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker. | |||||
| CVE-2019-18582 | 1 Dell | 6 Emc Data Protection Advisor, Emc Idpa Dp4400, Emc Idpa Dp5800 and 3 more | 2020-03-24 | 9.0 HIGH | 7.2 HIGH |
| Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system. | |||||
| CVE-2020-8141 | 1 Dot Project | 1 Dot | 2020-03-17 | 6.5 MEDIUM | 8.8 HIGH |
| The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype. | |||||
| CVE-2019-3695 | 2 Opensuse, Suse | 5 Leap, Pcp, Linux Enterprise High Performance Computing and 2 more | 2020-03-06 | 7.2 HIGH | 7.8 HIGH |
| A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1. | |||||
| CVE-2020-8129 | 1 Script-manager Project | 1 Script-manager | 2020-02-21 | 7.5 HIGH | 9.8 CRITICAL |
| An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. | |||||
| CVE-2013-4211 | 1 Openx | 1 Openx | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code | |||||
| CVE-2019-17268 | 1 Omniauth-weibo-oauth2 Project | 1 Omniauth-weibo-oauth2 | 2020-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected. | |||||
| CVE-2003-0498 | 1 Intersystems | 1 Cache Database | 2020-02-10 | 7.2 HIGH | N/A |
| Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. | |||||
| CVE-2014-2909 | 1 Siemens | 6 Simatic S7 Cpu-1211c, Simatic S7 Cpu 1200 Firmware, Simatic S7 Cpu 1212c and 3 more | 2020-02-10 | 5.8 MEDIUM | N/A |
| CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors. | |||||
| CVE-2013-2267 | 1 Fudforum | 1 Fudforum | 2020-01-29 | 9.0 HIGH | 7.2 HIGH |
| PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system. | |||||
| CVE-2020-6836 | 1 Hot-formula-parser Project | 1 Hot-formula-parser | 2020-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server. | |||||