Total
3303 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-5259 | 1 Linuxfoundation | 1 Dojox | 2020-03-11 | 5.0 MEDIUM | 8.6 HIGH |
| In affected versions of dojox (NPM package), the jqMix method is vulnerable to Prototype Pollution. Prototype Pollution refers to the ability to inject properties into existing JavaScript language construct prototypes, such as objects. An attacker manipulates these attributes to overwrite, or pollute, a JavaScript application object prototype of the base object by injecting other values. This has been patched in versions 1.11.10, 1.12.8, 1.13.7, 1.14.6, 1.15.3 and 1.16.2 | |||||
| CVE-2019-3695 | 2 Opensuse, Suse | 5 Leap, Pcp, Linux Enterprise High Performance Computing and 2 more | 2020-03-06 | 7.2 HIGH | 7.8 HIGH |
| A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1. | |||||
| CVE-2020-8132 | 1 Pdf-image Project | 1 Pdf-image | 2020-03-03 | 7.5 HIGH | 9.8 CRITICAL |
| Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input. | |||||
| CVE-2020-8129 | 1 Script-manager Project | 1 Script-manager | 2020-02-21 | 7.5 HIGH | 9.8 CRITICAL |
| An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code. | |||||
| CVE-2013-4211 | 1 Openx | 1 Openx | 2020-02-19 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code | |||||
| CVE-2019-17268 | 1 Omniauth-weibo-oauth2 Project | 1 Omniauth-weibo-oauth2 | 2020-02-11 | 7.5 HIGH | 9.8 CRITICAL |
| The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected. | |||||
| CVE-2003-0498 | 1 Intersystems | 1 Cache Database | 2020-02-10 | 7.2 HIGH | N/A |
| Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. | |||||
| CVE-2014-2909 | 1 Siemens | 6 Simatic S7 Cpu-1211c, Simatic S7 Cpu 1200 Firmware, Simatic S7 Cpu 1212c and 3 more | 2020-02-10 | 5.8 MEDIUM | N/A |
| CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors. | |||||
| CVE-2013-2267 | 1 Fudforum | 1 Fudforum | 2020-01-29 | 9.0 HIGH | 7.2 HIGH |
| PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system. | |||||
| CVE-2020-6836 | 1 Hot-formula-parser Project | 1 Hot-formula-parser | 2020-01-22 | 7.5 HIGH | 9.8 CRITICAL |
| grammar-parser.jison in the hot-formula-parser package before 3.0.1 for Node.js is vulnerable to arbitrary code injection. The package fails to sanitize values passed to the parse function and concatenates them in an eval call. If a value of the formula is taken from user-controlled input, it may allow attackers to run arbitrary commands on the server. | |||||
| CVE-2018-18249 | 1 Icinga | 1 Icinga Web 2 | 2020-01-16 | 7.5 HIGH | 9.8 CRITICAL |
| Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet. | |||||
| CVE-2019-20343 | 1 Mojohaus | 1 Exec Maven | 2020-01-15 | 7.5 HIGH | 9.8 CRITICAL |
| The MojoHaus Exec Maven plugin 1.1.1 for Maven allows code execution via a crafted XML document because a configuration element (within a plugin element) can specify an arbitrary program in an executable element (and can also specify arbitrary command-line arguments in an arguments element). | |||||
| CVE-2017-7324 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. | |||||
| CVE-2017-7321 | 1 Modx | 1 Modx Revolution | 2020-01-10 | 7.5 HIGH | 9.8 CRITICAL |
| setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | |||||
| CVE-2019-7486 | 1 Sonicwall | 2 Sma 100, Sma 100 Firmware | 2019-12-31 | 6.5 MEDIUM | 8.8 HIGH |
| Code injection in SonicWall SMA100 allows an authenticated user to execute arbitrary code in viewcacert CGI script. This vulnerability impacted SMA100 version 9.0.0.4 and earlier. | |||||
| CVE-2005-0709 | 2 Mysql, Oracle | 2 Mysql, Mysql | 2019-12-17 | 4.6 MEDIUM | N/A |
| MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit. | |||||
| CVE-2014-7235 | 2 Freepbx, Sangoma | 2 Freepbx, Freepbx | 2019-12-10 | 10.0 HIGH | N/A |
| htdocs_ari/includes/login.php in the ARI Framework module/Asterisk Recording Interface (ARI) in FreePBX before 2.9.0.9, 2.10.x, and 2.11 before 2.11.1.5 allows remote attackers to execute arbitrary code via the ari_auth cookie, related to the PHP unserialize function, as exploited in the wild in September 2014. | |||||
| CVE-2012-4869 | 1 Sangoma | 1 Freepbx | 2019-12-10 | 7.5 HIGH | N/A |
| The callme_startcall function in recordings/misc/callme_page.php in FreePBX 2.9, 2.10, and earlier allows remote attackers to execute arbitrary commands via the callmenum parameter in a c action. | |||||
| CVE-2013-1666 | 1 Foswiki | 1 Foswiki | 2019-11-08 | 6.8 MEDIUM | 9.8 CRITICAL |
| Foswiki before 1.1.8 contains a code injection vulnerability in the MAKETEXT macro. | |||||
| CVE-2019-17613 | 1 Qibosoft | 1 Qibosoft | 2019-10-18 | 7.5 HIGH | 9.8 CRITICAL |
| qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter. | |||||