Total
3303 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-2988 | 1 Egroupware | 1 Egroupware | 2018-10-09 | 8.5 HIGH | N/A |
| EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987. | |||||
| CVE-2014-2177 | 1 Cisco | 7 Rv120w, Rv120w Firmware, Rv180 and 4 more | 2018-10-09 | 9.0 HIGH | N/A |
| The network-diagnostics administration interface in the Cisco RV router firmware on RV220W devices, before 1.0.5.9 on RV120W devices, and before 1.0.4.14 on RV180 and RV180W devices allows remote authenticated users to execute arbitrary commands via a crafted HTTP request, aka Bug ID CSCuh87126. | |||||
| CVE-2014-2044 | 1 Owncloud | 1 Owncloud | 2018-10-09 | 7.5 HIGH | N/A |
| Incomplete blacklist vulnerability in ajax/upload.php in ownCloud before 5.0, when running on Windows, allows remote authenticated users to bypass intended access restrictions, upload files with arbitrary names, and execute arbitrary code via an Alternate Data Stream (ADS) syntax in the filename parameter, as demonstrated using .htaccess::$DATA to upload a PHP program. | |||||
| CVE-2011-3828 | 1 Sunplus-tech | 1 Dvr Remote Activex Control | 2018-10-09 | 9.3 HIGH | N/A |
| DVRemoteAx.ax 2.1.0.39 in the DVR Remote ActiveX control allows remote attackers to execute arbitrary code via a crafted DVRobot.dll file in a manifest directory on a web server. | |||||
| CVE-2011-0635 | 1 Simploo | 1 Simploo Cms | 2018-10-09 | 6.0 MEDIUM | N/A |
| Static code injection vulnerability in Simploo CMS 1.7.1 and earlier allows remote authenticated users to inject arbitrary PHP code into config/custom/base.ini.php via the ftpserver parameter (FTP-Server field) to the sicore/updates/optionssav operation for index.php. | |||||
| CVE-2011-0487 | 1 Icq | 1 Icq | 2018-10-09 | 9.3 HIGH | N/A |
| ICQ 7 does not verify the authenticity of updates, which allows man-in-the-middle attackers to execute arbitrary code via a crafted file that is fetched through an automatic-update mechanism. | |||||
| CVE-2016-4391 | 1 Hp | 1 Arcsight Winc Connector | 2018-10-09 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0. | |||||
| CVE-2018-7748 | 1 Servicenow | 1 Servicenow | 2018-10-05 | 6.5 MEDIUM | 8.8 HIGH |
| report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the sysparm_media parameter. | |||||
| CVE-2016-4397 | 1 Hp | 1 Network Node Manager I | 2018-10-05 | 4.6 MEDIUM | 7.8 HIGH |
| A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software. | |||||
| CVE-2018-1999022 | 2 Civicrm, Html Quickform Project | 2 Civicrm, Html Quickform | 2018-10-03 | 7.5 HIGH | 9.8 CRITICAL |
| PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15. | |||||
| CVE-2018-14910 | 1 Seacms | 1 Seacms | 2018-10-02 | 6.8 MEDIUM | 8.8 HIGH |
| SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. | |||||
| CVE-2018-16771 | 1 Hoosk | 1 Hoosk | 2018-09-24 | 7.5 HIGH | 9.8 CRITICAL |
| Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php. | |||||
| CVE-2018-14579 | 1 Golemcms Project | 1 Golemcms | 2018-09-20 | 7.5 HIGH | 9.8 CRITICAL |
| GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" form field, or obtain sensitive information via a direct request for install/install.sql. | |||||
| CVE-2018-1999023 | 1 Wesnoth | 1 The Battle For Wesnoth | 2018-09-20 | 6.8 MEDIUM | 8.8 HIGH |
| The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content. | |||||
| CVE-2014-2302 | 1 Webedition | 1 Webedition Cms | 2018-09-18 | 7.5 HIGH | 9.8 CRITICAL |
| The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org. | |||||
| CVE-2018-14421 | 1 Seacms | 1 Seacms | 2018-09-14 | 6.8 MEDIUM | 8.8 HIGH |
| SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF. | |||||
| CVE-2018-5781 | 1 Mitel | 2 Connect Onsite, St14.2 | 2018-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vendrecording.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. | |||||
| CVE-2018-5780 | 1 Mitel | 2 Connect Onsite, St14.2 | 2018-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vnewmeeting.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application. | |||||
| CVE-2018-5779 | 1 Mitel | 2 Connect Onsite, St14.2 | 2018-09-07 | 10.0 HIGH | 9.8 CRITICAL |
| A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application. | |||||
| CVE-2018-8345 | 1 Microsoft | 7 Windows 10, Windows 7, Windows 8.1 and 4 more | 2018-09-07 | 7.6 HIGH | 7.5 HIGH |
| A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8346. | |||||