Total
2906 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2020-7672 | 1 Mosc Project | 1 Mosc | 2021-07-21 | 7.5 HIGH | 8.6 HIGH |
| mosc through 1.0.0 is vulnerable to Arbitrary Code Execution. User input provided to `properties` argument is executed by the `eval` function, resulting in code execution. | |||||
| CVE-2020-15070 | 1 Zulip | 1 Zulip Server | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| Zulip Server 2.x before 2.1.7 allows eval injection if a privileged attacker were able to write directly to the postgres database, and chose to write a crafted custom profile field value. | |||||
| CVE-2020-11804 | 1 Titanhq | 1 Spamtitan | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Titan SpamTitan 7.07. Due to improper sanitization of the parameter quid, used in the page mailqueue.php, code injection can occur. The input for this parameter is provided directly by an authenticated user via an HTTP GET request. | |||||
| CVE-2020-13756 | 1 Sabberworm | 1 Php Css Parser | 2021-07-21 | 7.5 HIGH | 9.8 CRITICAL |
| Sabberworm PHP CSS Parser before 8.3.1 calls eval on uncontrolled data, possibly leading to remote code execution if the function allSelectors() or getSelectorsBySpecificity() is called with input from an attacker. | |||||
| CVE-2020-25538 | 1 Cmsuno Project | 1 Cmsuno | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An authenticated attacker can inject malicious code into "lang" parameter in /uno/central.php file in CMSuno 1.6.2 and run this PHP code in the web page. In this way, attacker can takeover the control of the server. | |||||
| CVE-2019-17132 | 1 Vbulletin | 1 Vbulletin | 2021-07-21 | 6.8 MEDIUM | 9.8 CRITICAL |
| vBulletin through 5.5.4 mishandles custom avatars. | |||||
| CVE-2020-11803 | 1 Titanhq | 1 Spamtitan | 2021-07-21 | 6.5 MEDIUM | 8.8 HIGH |
| An issue was discovered in Titan SpamTitan 7.07. Improper sanitization of the parameter jaction when interacting with the page mailqueue.php could lead to PHP code evaluation server-side, because the user-provided input is passed directly to the php eval() function. The user has to be authenticated on the web platform before interacting with the page. | |||||
| CVE-2021-23390 | 1 Totaljs | 1 Total4 | 2021-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| The package total4 before 0.0.43 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. | |||||
| CVE-2021-23389 | 1 Totaljs | 1 Total.js | 2021-07-14 | 7.5 HIGH | 9.8 CRITICAL |
| The package total.js before 3.4.9 are vulnerable to Arbitrary Code Execution via the U.set() and U.get() functions. | |||||
| CVE-2021-35514 | 1 Narou Project | 1 Narou | 2021-07-02 | 7.5 HIGH | 9.8 CRITICAL |
| Narou (aka Narou.rb) before 3.8.0 allows Ruby Code Injection via the title name or author name of a novel. | |||||
| CVE-2021-32924 | 1 Invisioncommunity | 1 Ips Community Suite | 2021-06-16 | 6.0 MEDIUM | 8.8 HIGH |
| Invision Community (aka IPS Community Suite) before 4.6.0 allows eval-based PHP code injection by a moderator because the IPS\cms\modules\front\pages\_builder::previewBlock method interacts unsafely with the IPS\_Theme::runProcessFunction method. | |||||
| CVE-2021-30461 | 1 Voipmonitor | 1 Voipmonitor | 2021-06-09 | 7.5 HIGH | 9.8 CRITICAL |
| A remote code execution issue was discovered in the web UI of VoIPmonitor before 24.61. When the recheck option is used, the user-supplied SPOOLDIR value (which might contain PHP code) is injected into config/configuration.php. | |||||
| CVE-2021-27811 | 1 Qibosoft | 1 Qibosoft | 2021-06-03 | 6.5 MEDIUM | 7.2 HIGH |
| A code injection vulnerability has been discovered in the Upgrade function of QibosoftX1 v1.0. An attacker is able execute arbitrary PHP code via exploitation of client_upgrade_edition.php and Upgrade.php. | |||||
| CVE-2019-14827 | 1 Moodle | 1 Moodle | 2021-06-01 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. | |||||
| CVE-2017-4964 | 1 Cloudfoundry | 1 Bosh Azure Cpi | 2021-05-27 | 4.6 MEDIUM | 8.8 HIGH |
| Cloud Foundry Foundation BOSH Azure CPI v22 could potentially allow a maliciously crafted stemcell to execute arbitrary code on VMs created by the director, aka a "CPI code injection vulnerability." | |||||
| CVE-2021-3411 | 2 Linux, Redhat | 2 Linux Kernel, Enterprise Linux | 2021-05-21 | 4.6 MEDIUM | 6.7 MEDIUM |
| A flaw was found in the Linux kernel in versions prior to 5.10. A violation of memory access was found while detecting a padding of int3 in the linking state. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||||
| CVE-2021-28953 | 1 C\/c\+\+ Advanced Lint Project | 1 C\/c\+\+ Advanced Lint | 2021-04-22 | 6.8 MEDIUM | 7.8 HIGH |
| The unofficial C/C++ Advanced Lint extension before 1.9.0 for Visual Studio Code allows attackers to execute arbitrary binaries if the user opens a crafted repository. | |||||
| CVE-2021-27602 | 1 Sap | 1 Commerce | 2021-04-21 | 6.5 MEDIUM | 9.9 CRITICAL |
| SAP Commerce, versions - 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application. | |||||
| CVE-2009-2372 | 1 Drupal | 1 Drupal | 2021-04-21 | 6.5 MEDIUM | N/A |
| Drupal 6.x before 6.13 does not prevent users from modifying user signatures after the associated comment format has been changed to an administrator-controlled input format, which allows remote authenticated users to inject arbitrary web script, HTML, and possibly PHP code via a crafted user signature. | |||||
| CVE-2021-23281 | 1 Eaton | 1 Intelligent Power Manager | 2021-04-20 | 7.5 HIGH | 10.0 CRITICAL |
| Eaton Intelligent Power Manager (IPM) prior to 1.69 is vulnerable to unauthenticated remote code execution vulnerability. IPM software does not sanitize the date provided via coverterCheckList action in meta_driver_srv.js class. Attackers can send a specially crafted packet to make IPM connect to rouge SNMP server and execute attacker-controlled code. | |||||