Total
3761 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2019-20343 | 1 Mojohaus | 1 Exec Maven | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution via a crafted XML document because a configuration element (within a plugin element) can specify an arbitrary program in an executable element (and can also specify arbitrary command-line arguments in an arguments element). | |||||
| CVE-2017-7324 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. | |||||
| CVE-2017-7321 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | |||||
| CVE-2019-7486 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2019-12-31 | 6.5 MEDIUM | 8.8 HIGH |
| Code injection in SonicWall SMA100 allows an authenticated user to execute arbitrary code in viewcacert CGI script. This vulnerability impacted SMA100 version 9.0.0.4 and earlier. | |||||
| CVE-2005-0709 | 2 Mysql, Oracle | 2 Mysql, Mysql | 2019-12-17 | 4.6 MEDIUM | N/A |
| MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit. | |||||
| CVE-2014-7235 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2019-12-10 | 10.0 HIGH | N/A |
| htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014. | |||||
| CVE-2012-4869 | 1 Sangoma | 1 Freepbx | 2019-12-10 | 7.5 HIGH | N/A |
| The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action. | |||||
| CVE-2013-1666 | 1 Foswiki | 1 Foswiki | 2019-11-08 | 6.8 MEDIUM | 9.8 CRITICAL |
| Foswiki before 1.1.8 contains a code injection vulnerability in the MAKETEXT macro. | |||||
| CVE-2019-17613 | 1 Qibosoft | 1 Qibosoft | 2019-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter. | |||||
| CVE-2018-21023 | 1 Centreon | 1 Centreon Web | 2019-10-15 | 6.5 MEDIUM | 8.8 HIGH |
| getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter. | |||||
| CVE-2019-13558 | 1 Advantech | 1 Webaccess | 2019-10-09 | 9.0 HIGH | 9.8 CRITICAL |
| In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash. | |||||
| CVE-2018-2418 | 1 Sap | 1 Maxdb Odbc Driver | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2018-1792 | 1 Ibm | 1 Websphere Mq | 2019-10-09 | 7.2 HIGH | 7.8 HIGH |
| IBM WebSphere MQ 8.0.0.0 through 8.0.0.10, 9.0.0.0 through 9.0.0.5, 9.0.1 through 9.0.5, and 9.1.0.0 could allow a local user to inject code that could be executed with root privileges. IBM X-Force ID: 148947. | |||||
| CVE-2018-1104 | 1 Redhat | 2 Ansible Tower, Cloudforms | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server. | |||||
| CVE-2018-19011 | 1 Omron | 1 Cx-supervisor | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| CX-Supervisor (Versions 3.42 and prior) can execute code that has been injected into a project file. An attacker could exploit this to execute code under the privileges of the application. | |||||
| CVE-2018-19002 | 1 Lcds | 1 Laquis Scada | 2019-10-09 | 8.3 HIGH | 7.8 HIGH |
| LCDS Laquis SCADA prior to version 4.1.0.4150 allows improper control of generation of code when opening a specially crafted project file, which may allow remote code execution, data exfiltration, or cause a system crash. | |||||
| CVE-2018-14630 | 1 Moodle | 1 Moodle | 2019-10-09 | 6.5 MEDIUM | 8.8 HIGH |
| moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. | |||||
| CVE-2018-14804 | 1 Emerson | 1 Ams Device Manager | 2019-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution. | |||||
| CVE-2018-0461 | 1 Cisco | 7 Ip Phone 8800 Series Firmware, Ip Phone 8811, Ip Phone 8841 and 4 more | 2019-10-09 | 6.8 MEDIUM | 8.8 HIGH |
| A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device. The vulnerability exists because the software running on an affected device insufficiently validates user-supplied data. An attacker could exploit this vulnerability by persuading a user to click a malicious link provided to the user or through the interface of an affected device. A successful exploit could allow an attacker to execute arbitrary script code in the context of the user interface or access sensitive system-based information, which under normal circumstances should be prohibited. | |||||