Total
2906 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-6243 | 1 Sap | 1 Adaptive Server Enterprise | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Under certain conditions, SAP Adaptive Server Enterprise (XP Server on Windows Platform), versions 15.7, 16.0, does not perform the necessary checks for an authenticated user while executing the extended stored procedure, allowing an attacker to read, modify, delete restricted data on connected servers, leading to Code Injection. | |||||
| CVE-2020-7710 | 1 Safe-eval Project | 1 Safe-eval | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| This affects all versions of package safe-eval. It is possible for an attacker to run an arbitrary command on the host machine. | |||||
| CVE-2020-15070 | 1 Zulip | 1 Zulip Server | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. | |||||
| CVE-2020-5593 | 1 Zenphoto | 1 Zenphoto | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Zenphoto versions prior to 1.5.7 allows an attacker to conduct PHP code injection attacks by leading a user to upload a specially crafted .zip file. | |||||
| CVE-2020-15865 | 1 Stimulsoft | 1 Reports | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| A Remote Code Execution vulnerability in Stimulsoft (aka Stimulsoft Reports) 2013.1.1600.0 allows an attacker to encode C# scripts as base-64 in the report XML file so that they will be compiled and executed on the server that processes this file. This can be used to fully compromise the server. | |||||
| CVE-2020-6248 | 1 Sap | 1 Adaptive Server Enterprise Backup Server | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| SAP Adaptive Server Enterprise (Backup Server), version 16.0, does not perform the necessary validation checks for an authenticated user while executing DUMP or LOAD command allowing arbitrary code execution or Code Injection. | |||||
| CVE-2020-28464 | 1 Djv Project | 1 Djv | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| This affects the package djv before 2.1.4. By controlling the schema file, an attacker can run arbitrary JavaScript code on the victim machine. | |||||
| CVE-2020-11546 | 1 Superwebmailer | 1 Superwebmailer | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| SuperWebMailer 7.21.0.01526 is susceptible to a remote code execution vulnerability in the Language parameter of mailingupgrade.php. An unauthenticated remote attacker can exploit this behavior to execute arbitrary PHP code via Code Injection. | |||||
| CVE-2020-11803 | 1 Titanhq | 1 Spamtitan | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page. | |||||
| CVE-2020-5203 | 1 Fatfreeframework | 1 Fat-free Framework | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method. | |||||
| CVE-2020-11804 | 1 Titanhq | 1 Spamtitan | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request. | |||||
| CVE-2020-10948 | 1 Alienform2 Project | 1 Alienform2 | 2021-07-21 | 10.0 HIGH | 9.8 CRITICAL |
| Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests. | |||||
| CVE-2020-10257 | 1 Themerex | 63 Addons, Aldo-gutenberg Wordpress Blog Theme, Amuli and 60 more | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter. | |||||
| CVE-2019-10769 | 1 Safer-eval Project | 1 Safer-eval | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError. | |||||
| CVE-2020-25538 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server. | |||||
| CVE-2019-17132 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| vBulletin through 5.5.4 mishandles custom avatars. | |||||
| CVE-2020-7673 | 1 Node-extend Project | 1 Node-extend | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| node-extend through 0.2.0 is vulnerable to Arbitrary Code Execution. User input provided to the argument `A` of `extend` function`(A,B,as,isAargs)` located within `lib/extend.js` is executed by the `eval` function, resulting in code execution. | |||||
| CVE-2020-25557 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| In CMSuno 1.6.2, an attacker can inject malicious PHP code as a "username" while changing his/her username & password. After that, when attacker logs in to the application, attacker's code will be run. As a result of this vulnerability, authenticated user can run command on the server. | |||||
| CVE-2019-10015 | 1 Baigo | 1 Baigo Sso | 2021-07-21 | 6.5 MEDIUM | 7.2 HIGH |
| baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitrary PHP code via the first form field of a configuration screen, because this code is written to the BG_SITE_NAME field in the opt_base.inc.php file. | |||||
| CVE-2020-35339 | 1 74cms | 1 74cms | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| In 74cms version 5.0.1, there is a remote code execution vulnerability in /Application/Admin/Controller/ConfigController.class.php and /ThinkPHP/Common/functions.php where attackers can obtain server permissions and control the server. | |||||