Total
2906 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2023-1004 | 2 Marktext, Microsoft | 2 Marktext, Windows | 2023-03-03 | N/A | 7.8 HIGH |
A vulnerability has been found in MarkText up to 0.17.1 and classified as critical. Affected by this vulnerability is an unknown functionality of the component WSH JScript Handler. The manipulation leads to code injection. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. The identifier VDB-221737 was assigned to this vulnerability. | |||||
CVE-2023-1005 | 1 Markdown-electron Project | 1 Markdown-electron | 2023-03-03 | N/A | 7.8 HIGH |
A vulnerability was found in JP1016 Markdown-Electron and classified as critical. Affected by this issue is some unknown functionality. The manipulation leads to code injection. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. VDB-221738 is the identifier assigned to this vulnerability. | |||||
CVE-2020-28367 | 1 Golang | 1 Go | 2023-03-03 | 5.1 MEDIUM | 7.5 HIGH |
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via malicious gcc flags specified via a #cgo directive. | |||||
CVE-2019-16255 | 4 Debian, Opensuse, Oracle and 1 more | 4 Debian Linux, Leap, Graalvm and 1 more | 2023-03-03 | 6.8 MEDIUM | 8.1 HIGH |
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. | |||||
CVE-2022-46836 | 1 Tribe29 | 1 Checkmk | 2023-03-02 | N/A | 8.8 HIGH |
PHP code injection in watolib auth.php and hosttags.php in Tribe29's Checkmk <= 2.1.0p10, Checkmk <= 2.0.0p27, and Checkmk <= 1.6.0p29 allows an attacker to inject and execute PHP code which will be executed upon request of the vulnerable component. | |||||
CVE-2022-41945 | 1 Super-xray Project | 1 Super-xray | 2023-03-01 | N/A | 9.8 CRITICAL |
super-xray is a vulnerability scanner (xray) GUI launcher. In version 0.1-beta, the URL is not filtered and directly spliced ??into the command, resulting in a possible RCE vulnerability. Users should upgrade to super-xray 0.2-beta. | |||||
CVE-2022-42889 | 2 Apache, Netapp | 2 Commons Text, Bluexp | 2023-03-01 | N/A | 9.8 CRITICAL |
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. | |||||
CVE-2015-9298 | 1 Wp-events-plugin | 1 Events Manager | 2023-02-28 | 7.5 HIGH | 9.8 CRITICAL |
The events-manager plugin before 5.6 for WordPress has code injection. | |||||
CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2023-02-28 | 7.5 HIGH | 9.8 CRITICAL |
/web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | |||||
CVE-2020-28366 | 3 Fedoraproject, Golang, Netapp | 4 Fedora, Go, Cloud Insights Telegraf Agent and 1 more | 2023-02-28 | 5.1 MEDIUM | 7.5 HIGH |
Code injection in the go command with cgo before Go 1.14.12 and Go 1.15.5 allows arbitrary code execution at build time via a malicious unquoted symbol name in a linked object file. | |||||
CVE-2023-24078 | 1 Realtimelogic | 1 Fuguhub | 2023-02-24 | N/A | 8.8 HIGH |
Real Time Logic FuguHub v8.1 and earlier was discovered to contain a remote code execution (RCE) vulnerability via the component /FuguHub/cmsdocs/. | |||||
CVE-2023-0877 | 1 Froxlor | 1 Froxlor | 2023-02-24 | N/A | 8.8 HIGH |
Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11. | |||||
CVE-2023-22855 | 1 Kardex | 1 Kardex Control Center | 2023-02-24 | N/A | 9.8 CRITICAL |
Kardex Mlog MCC 5.7.12+0-a203c2a213-master allows remote code execution. It spawns a web interface listening on port 8088. A user-controllable path is handed to a path-concatenation method (Path.Combine from .NET) without proper sanitisation. This yields the possibility of including local files, as well as remote files on SMB shares. If one provides a file with the extension .t4, it is rendered with the .NET templating engine mono/t4, which can execute code. | |||||
CVE-2023-0792 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-02-23 | N/A | 5.4 MEDIUM |
Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | |||||
CVE-2023-24576 | 1 Dell | 1 Emc Networker | 2023-02-23 | N/A | 9.8 CRITICAL |
EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the NetWorker Client execution service (nsrexecd) irrespective of any auth used. | |||||
CVE-2023-25717 | 1 Ruckuswireless | 61 E510, H320, H350 and 58 more | 2023-02-23 | N/A | 9.8 CRITICAL |
Ruckus Wireless Admin through 10.4 allows Remote Code Execution via an unauthenticated HTTP GET Request, as demonstrated by a /forms/doLogin?login_username=admin&password=password$(curl substring. | |||||
CVE-2023-0788 | 1 Phpmyfaq | 1 Phpmyfaq | 2023-02-22 | N/A | 9.8 CRITICAL |
Code Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11. | |||||
CVE-2023-23551 | 1 Controlbyweb | 2 X-600m, X-600m Firmware | 2023-02-22 | N/A | 9.8 CRITICAL |
Control By Web X-600M devices run Lua scripts and are vulnerable to code injection, which could allow an attacker to remotely execute arbitrary code. | |||||
CVE-2023-0297 | 1 Pyload | 1 Pyload | 2023-02-22 | N/A | 9.8 CRITICAL |
Code Injection in GitHub repository pyload/pyload prior to 0.5.0b3.dev31. | |||||
CVE-2023-23912 | 1 Ui | 20 Er-10x, Er-10x Firmware, Er-12 and 17 more | 2023-02-17 | N/A | 8.8 HIGH |
A vulnerability, found in EdgeRouters Version 2.0.9-hotfix.5 and earlier and UniFi Security Gateways (USG) Version 4.4.56 and earlier with their DHCPv6 prefix delegation set to dhcpv6-stateless or dhcpv6-stateful, allows a malicious actor directly connected to the WAN interface of an affected device to create a remote code execution vulnerability. |