Total
2906 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-11552 | 1 Code42 | 2 Code42 For Enterprise, Crashplan For Small Business | 2022-04-18 | 4.4 MEDIUM | 7.0 HIGH |
| Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user. | |||||
| CVE-2019-9848 | 5 Canonical, Debian, Fedoraproject and 2 more | 5 Ubuntu Linux, Debian Linux, Fedora and 2 more | 2022-04-18 | 7.5 HIGH | 9.8 CRITICAL |
| LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. In the fixed versions, LibreLogo cannot be called from a document event handler. This issue affects: Document Foundation LibreOffice versions prior to 6.2.5. | |||||
| CVE-2020-10389 | 1 Chadhaajay | 1 Phpkb | 2022-04-18 | 6.5 MEDIUM | 7.2 HIGH |
| admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings. | |||||
| CVE-2014-5112 | 1 Netfortris | 1 Trixbox | 2022-04-18 | 7.5 HIGH | N/A |
| maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter. | |||||
| CVE-2021-40219 | 1 Bolt | 1 Bolt Cms | 2022-04-15 | 6.5 MEDIUM | 8.8 HIGH |
| Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution. | |||||
| CVE-2022-1159 | 1 Rockwellautomation | 10 Compact Guardlogix 5380, Compact Guardlogix 5380 Firmware, Compactlogix 5380 and 7 more | 2022-04-08 | 6.5 MEDIUM | 7.2 HIGH |
| Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user. | |||||
| CVE-2019-9082 | 3 Opensourcebms, Thinkphp, Zzzcms | 3 Open Source Background Management System, Thinkphp, Zzzphp | 2022-04-05 | 9.3 HIGH | 8.8 HIGH |
| ThinkPHP before 3.2.4, as used in Open Source BMS v1.1.1 and other products, allows Remote Command Execution via public//?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]= followed by the command. | |||||
| CVE-2019-8341 | 2 Opensuse, Pocoo | 2 Leap, Jinja2 | 2022-04-05 | 7.5 HIGH | 9.8 CRITICAL |
| ** DISPUTED ** An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with {{INJECTION COMMANDS}} in a URI. NOTE: The maintainer and multiple third parties believe that this vulnerability isn't valid because users shouldn't use untrusted templates without sandboxing. | |||||
| CVE-2022-26255 | 1 Clash Project | 1 Clash | 2022-04-05 | 7.5 HIGH | 9.8 CRITICAL |
| Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. | |||||
| CVE-2022-26205 | 1 Marky Project | 1 Marky | 2022-03-31 | 7.5 HIGH | 9.8 CRITICAL |
| Marky commit 3686565726c65756e was discovered to contain a remote code execution (RCE) vulnerability via the Display text fields. This vulnerability allows attackers to execute arbitrary code via injection of a crafted payload. | |||||
| CVE-2022-26198 | 1 Notable | 1 Notable | 2022-03-30 | 7.5 HIGH | 9.8 CRITICAL |
| Notable v1.8.4 does not filter text editing, allowing attackers to execute arbitrary code via a crafted payload injected into the Title text field. | |||||
| CVE-2022-26272 | 1 Ionizecms | 1 Ionize | 2022-03-29 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution (RCE) vulnerability in Ionize v1.0.8.1 allows attackers to execute arbitrary code via a crafted string written to the file application/config/config.php. | |||||
| CVE-2021-38745 | 1 Chamilo | 1 Chamilo | 2022-03-29 | 4.6 MEDIUM | 6.8 MEDIUM |
| Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page. | |||||
| CVE-2020-25197 | 1 Ge | 6 Rt430, Rt430 Firmware, Rt431 and 3 more | 2022-03-28 | 9.0 HIGH | 8.8 HIGH |
| A code injection vulnerability exists in one of the webpages in GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06 that could allow an authenticated remote attacker to execute arbitrary code on the system. | |||||
| CVE-2022-25578 | 1 Taogogo | 1 Taocms | 2022-03-28 | 7.5 HIGH | 9.8 CRITICAL |
| taocms v3.0.2 allows attackers to execute code injection via arbitrarily editing the .htaccess file. | |||||
| CVE-2022-0811 | 1 Kubernetes | 1 Cri-o | 2022-03-28 | 9.0 HIGH | 8.8 HIGH |
| A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed. | |||||
| CVE-2022-0748 | 1 Post-loader Project | 1 Post-loader | 2022-03-23 | 7.5 HIGH | 9.8 CRITICAL |
| The package post-loader from 0.0.0 are vulnerable to Arbitrary Code Execution which uses a markdown parser in an unsafe way so that any javascript code inside the markdown input files gets evaluated and executed. | |||||
| CVE-2022-25760 | 1 Accesslog Project | 1 Accesslog | 2022-03-23 | 10.0 HIGH | 9.8 CRITICAL |
| All versions of package accesslog are vulnerable to Arbitrary Code Injection due to the usage of the Function constructor without input sanitization. If (attacker-controlled) user input is given to the format option of the package's exported constructor function, it is possible for an attacker to execute arbitrary JavaScript code on the host that this package is being run on. | |||||
| CVE-2022-0944 | 1 Sqlpad | 1 Sqlpad | 2022-03-21 | 6.5 MEDIUM | 7.2 HIGH |
| Template injection in connection test endpoint leads to RCE in GitHub repository sqlpad/sqlpad prior to 6.10.1. | |||||
| CVE-2022-0895 | 1 Microweber | 1 Microweber | 2022-03-19 | 7.5 HIGH | 9.8 CRITICAL |
| Static Code Injection in GitHub repository microweber/microweber prior to 1.3. | |||||