Total
3303 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-5443 | 4 Haxx, Microsoft, Netapp and 1 more | 10 Curl, Windows, Oncommand Insight and 7 more | 2021-11-03 | 4.4 MEDIUM | 7.8 HIGH |
| A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants. | |||||
| CVE-2021-41619 | 1 Gradle | 1 Enterprise | 2021-11-03 | 9.0 HIGH | 7.2 HIGH |
| An issue was discovered in Gradle Enterprise before 2021.1.2. There is potential remote code execution via the application startup configuration. The installation configuration user interface (available to administrators) allows specifying arbitrary Java Virtual Machine startup options. Some of these options, such as -XX:OnOutOfMemoryError, allow specifying a command to be run on the host. This can be abused to run arbitrary commands on the host, should an attacker gain administrative access to the application. | |||||
| CVE-2019-15598 | 1 Treekill Project | 1 Treekill | 2021-11-02 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection exists in treekill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | |||||
| CVE-2019-15599 | 1 Tree-kill Project | 1 Tree-kill | 2021-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command. | |||||
| CVE-2019-15597 | 1 Node-df Project | 1 Node-df | 2021-10-29 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input. | |||||
| CVE-2019-10211 | 2 Microsoft, Postgresql | 2 Windows, Postgresql | 2021-10-28 | 7.5 HIGH | 9.8 CRITICAL |
| Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. | |||||
| CVE-2020-23037 | 1 Portable | 1 Playable | 2021-10-27 | 7.5 HIGH | 9.8 CRITICAL |
| Portable Ltd Playable v9.18 contains a code injection vulnerability in the filename parameter, which allows attackers to execute arbitrary web scripts or HTML via a crafted POST request. | |||||
| CVE-2020-11056 | 1 Barrelstrengthdesign | 1 Sprout Forms | 2021-10-26 | 6.5 MEDIUM | 6.3 MEDIUM |
| In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0. | |||||
| CVE-2021-22961 | 1 Glasswire | 1 Glasswire | 2021-10-21 | 7.5 HIGH | 9.8 CRITICAL |
| A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution. | |||||
| CVE-2021-40889 | 1 Cmsuno Project | 1 Cmsuno | 2021-10-19 | 7.5 HIGH | 9.8 CRITICAL |
| CMSUno version 1.7.2 is affected by a PHP code execution vulnerability. sauvePass action in {webroot}/uno/central.php file calls to file_put_contents() function to write username in password.php file when a user successfully changed their password. The attacker can inject malicious PHP code into password.php and then use the login function to execute code. | |||||
| CVE-2021-40499 | 1 Sap | 1 Netweaver Application Server Abap | 2021-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| Client-side printing services SAP Cloud Print Manager and SAPSprint for SAP NetWeaver Application Server for ABAP - versions 7.70, 7.70 PI, 7.70 BYD, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application. | |||||
| CVE-2018-17207 | 1 Snapcreek | 1 Duplicator | 2021-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. | |||||
| CVE-2021-40323 | 1 Cobbler Project | 1 Cobbler | 2021-10-12 | 7.5 HIGH | 9.8 CRITICAL |
| Cobbler before 3.3.0 allows log poisoning, and resultant Remote Code Execution, via an XMLRPC method that logs to the logfile for template injection. | |||||
| CVE-2013-3630 | 1 Moodle | 1 Moodle | 2021-10-12 | 4.6 MEDIUM | N/A |
| Moodle through 2.5.2 allows remote authenticated administrators to execute arbitrary programs by configuring the aspell pathname and then triggering a spell-check operation within the TinyMCE editor. | |||||
| CVE-2021-33693 | 1 Sap | 1 Cloud Connector | 2021-09-27 | 7.7 HIGH | 6.8 MEDIUM |
| SAP Cloud Connector, version - 2.0, allows an authenticated administrator to modify a configuration file to inject malicious codes that could potentially lead to OS command execution. | |||||
| CVE-2021-40373 | 1 Playsms | 1 Playsms | 2021-09-21 | 7.5 HIGH | 9.8 CRITICAL |
| playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI. | |||||
| CVE-2021-39503 | 1 Phpmywind | 1 Phpmywind | 2021-09-14 | 6.5 MEDIUM | 7.2 HIGH |
| PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file. | |||||
| CVE-2021-37694 | 1 Asyncapi | 1 Java-spring-cloud-stream-template | 2021-09-13 | 6.8 MEDIUM | 7.8 HIGH |
| @asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream (SCSt) microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to update. | |||||
| CVE-2019-4000 | 2 Apple, Druva | 2 Macos, Insync | 2021-09-08 | 7.2 HIGH | 7.8 HIGH |
| Improper neutralization of directives in dynamically evaluated code in Druva inSync Mac OS Client 6.5.0 allows a local, authenticated attacker to execute arbitrary Python expressions with root privileges. | |||||
| CVE-2021-32831 | 1 Totaljs | 1 Total.js | 2021-09-07 | 6.5 MEDIUM | 7.2 HIGH |
| Total.js framework (npm package total.js) is a framework for Node.js platfrom written in pure JavaScript similar to PHP's Laravel or Python's Django or ASP.NET MVC. In total.js framework before version 3.4.9, calling the utils.set function with user-controlled values leads to code-injection. This can cause a variety of impacts that include arbitrary code execution. This is fixed in version 3.4.9. | |||||