Total
3303 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-10842 | 1 Getbootstrap | 1 Bootstrap-sass | 2019-04-11 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare. | |||||
| CVE-2019-10633 | 1 Zyxel | 2 Nas326, Nas326 Firmware | 2019-04-10 | 6.5 MEDIUM | 8.8 HIGH |
| An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to execute arbitrary code via the tjp6jp6y4, simZysh, and ck6fup6 APIs. | |||||
| CVE-2019-10684 | 1 74cms | 1 74cms | 2019-04-03 | 7.5 HIGH | 9.8 CRITICAL |
| Application/Admin/Controller/ConfigController.class.php in 74cms v5.0.1 allows remote attackers to execute arbitrary PHP code via the index.php?m=Admin&c=config&a=edit site_domain parameter. | |||||
| CVE-2017-18108 | 1 Atlassian | 1 Crowd | 2019-04-01 | 6.5 MEDIUM | 7.2 HIGH |
| The administration SMTP configuration resource in Atlassian Crowd before version 2.10.2 allows remote attackers with administration rights to execute arbitrary code via a JNDI injection. | |||||
| CVE-2018-10517 | 1 Cmsmadesimple | 1 Cms Made Simple | 2019-03-15 | 6.5 MEDIUM | 7.2 HIGH |
| In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element. | |||||
| CVE-2018-1260 | 1 Pivotal Software | 1 Spring Security Oauth | 2019-03-13 | 7.5 HIGH | 9.8 CRITICAL |
| Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization request to the authorization endpoint that can lead to remote code execution when the resource owner is forwarded to the approval endpoint. | |||||
| CVE-2018-5158 | 4 Canonical, Debian, Mozilla and 1 more | 10 Ubuntu Linux, Debian Linux, Firefox and 7 more | 2019-03-13 | 6.8 MEDIUM | 8.8 HIGH |
| The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60. | |||||
| CVE-2017-10844 | 1 Basercms | 1 Basercms | 2019-03-12 | 6.5 MEDIUM | 8.8 HIGH |
| baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspecified vectors. | |||||
| CVE-2019-9651 | 1 Sdcms | 1 Sdcms | 2019-03-11 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in SDCMS V1.7. In the \app\admin\controller\themecontroller.php file, the check_bad() function's filtering is not strict, resulting in PHP code execution. This occurs because some dangerous PHP functions (such as "eval") are blocked but others (such as "system") are not, and because ".php" is blocked but ".PHP" is not blocked. | |||||
| CVE-2013-7468 | 1 Simplemachines | 1 Simple Machines Forum | 2019-03-08 | 6.8 MEDIUM | 8.1 HIGH |
| Simple Machines Forum (SMF) 2.0.4 allows PHP Code Injection via the index.php?action=admin;area=languages;sa=editlang dictionary parameter. | |||||
| CVE-2015-1061 | 1 Apple | 3 Iphone Os, Mac Os X, Tvos | 2019-03-08 | 9.3 HIGH | N/A |
| IOSurface in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages "type confusion" during serialized-object handling. | |||||
| CVE-2009-1144 | 3 Foolabs, Gentoo, Glyphandcog | 3 Xpdf, Gentoo Linux, Xpdfreader | 2019-03-06 | 6.9 MEDIUM | N/A |
| Untrusted search path vulnerability in the Gentoo package of Xpdf before 3.02-r2 allows local users to gain privileges via a Trojan horse xpdfrc file in the current working directory, related to an unset SYSTEM_XPDFRC macro in a Gentoo build process that uses the poppler library. | |||||
| CVE-2018-7466 | 1 Testlink | 1 Testlink | 2019-03-05 | 6.0 MEDIUM | 7.5 HIGH |
| install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value. | |||||
| CVE-2019-9227 | 1 Baigo | 1 Baigo Cms | 2019-02-28 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in baigo CMS 2.1.1. There is a vulnerability that allows remote attackers to execute arbitrary code. A BG_SITE_NAME parameter with malicious code can be written into the opt_base.inc.php file. | |||||
| CVE-2009-0555 | 1 Microsoft | 7 Windows 2000, Windows Media Format Runtime, Windows Media Player and 4 more | 2019-02-28 | 9.3 HIGH | N/A |
| Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka "Windows Media Runtime Voice Sample Rate Vulnerability." | |||||
| CVE-2014-4148 | 1 Microsoft | 9 Windows 7, Windows 8, Windows 8.1 and 6 more | 2019-02-26 | 9.3 HIGH | N/A |
| win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted TrueType font, as exploited in the wild in October 2014, aka "TrueType Font Parsing Remote Code Execution Vulnerability." | |||||
| CVE-2015-1645 | 1 Microsoft | 4 Windows 7, Windows Server 2003, Windows Server 2008 and 1 more | 2019-02-26 | 9.3 HIGH | N/A |
| Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 allow remote attackers to execute arbitrary code via a crafted Enhanced Metafile (EMF) image, aka "EMF Processing Remote Code Execution Vulnerability." | |||||
| CVE-2012-4786 | 1 Microsoft | 5 Windows 7, Windows Server 2003, Windows Server 2008 and 2 more | 2019-02-26 | 10.0 HIGH | N/A |
| The kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT allow remote attackers to execute arbitrary code via a crafted TrueType Font (TTF) file, aka "TrueType Font Parsing Vulnerability." | |||||
| CVE-2011-3400 | 1 Microsoft | 2 Windows Server 2003, Windows Xp | 2019-02-26 | 9.3 HIGH | N/A |
| Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 do not properly handle OLE objects in memory, which allows remote attackers to execute arbitrary code via a crafted object in a file, aka "OLE Property Vulnerability." | |||||
| CVE-2009-0084 | 1 Microsoft | 4 Directx, Windows 2000, Windows Server 2003 and 1 more | 2019-02-26 | 9.3 HIGH | N/A |
| Use-after-free vulnerability in DirectShow in Microsoft DirectX 8.1 and 9.0 allows remote attackers to execute arbitrary code via an MJPEG file or video stream with a malformed Huffman table, which triggers an exception that frees heap memory that is later accessed, aka "MJPEG Decompression Vulnerability." | |||||