Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by CWE-94
Total 2906 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2019-5997 1 Panasonic 1 Video Insight Vms 2020-05-20 7.5 HIGH 9.8 CRITICAL
Video Insight VMS 7.5 and earlier allows remote attackers to conduct code injection attacks via unspecified vectors.
CVE-2020-8149 1 Logkitty Project 1 Logkitty 2020-05-19 7.5 HIGH 9.8 CRITICAL
Lack of output sanitization allowed an attack to execute arbitrary shell commands via the logkitty npm package before version 0.7.1.
CVE-2019-0330 1 Sap 1 Diagnostics Agents 2020-04-17 6.5 MEDIUM 9.1 CRITICAL
The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
CVE-2020-5739 1 Grandstream 12 Gxp1610, Gxp1610 Firmware, Gxp1615 and 9 more 2020-04-14 9.0 HIGH 8.8 HIGH
Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker adds an OpenVPN up script to the phone's VPN settings via the "Additional Settings" field in the web interface. When the VPN's connection is established, the user defined script is executed with root privileges.
CVE-2019-9163 1 Marchnetworks 1 Command Client 2020-04-03 7.5 HIGH 9.8 CRITICAL
The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects.
CVE-2020-5553 1 Mailform 1 Mailform 2020-03-27 10.0 HIGH 9.8 CRITICAL
mailform version 1.04 allows remote attackers to execute arbitrary PHP code via unspecified vectors.
CVE-2018-9113 1 Cdc 1 Microbetrace 2020-03-27 9.3 HIGH 7.8 HIGH
Centers for Disease Control and Prevention MicrobeTRACE 0.1.12 allows remote attackers to execute arbitrary code, related to code injection via a crafted CSV file with an initial '><script type="text/javascript" src=' line. Fix released on 2018-03-29.
CVE-2018-8974 1 Cdc 1 Microbetrace 2020-03-27 9.3 HIGH 7.8 HIGH
Centers for Disease Control and Prevention MicrobeTRACE 0.1.11 allows remote attackers to execute arbitrary code, related to code injection via a crafted CSV file with an initial 'Source<script type="text/javascript" src=' line. Fix released on 2018-03-28.
CVE-2020-6650 1 Eaton 1 Ups Companion 2020-03-27 5.8 MEDIUM 8.8 HIGH
UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.
CVE-2020-7480 1 Schneider-electric 22 Andover Continuum 5720, Andover Continuum 5720 Firmware, Andover Continuum 5740 and 19 more 2020-03-25 7.5 HIGH 9.8 CRITICAL
A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data.
CVE-2020-8137 1 Blamer Project 1 Blamer 2020-03-25 7.5 HIGH 9.8 CRITICAL
Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.
CVE-2019-18582 1 Dell 6 Emc Data Protection Advisor, Emc Idpa Dp4400, Emc Idpa Dp5800 and 3 more 2020-03-24 9.0 HIGH 7.2 HIGH
Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.
CVE-2020-8141 1 Dot Project 1 Dot 2020-03-17 6.5 MEDIUM 8.8 HIGH
The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
CVE-2019-3695 2 Opensuse, Suse 5 Leap, Pcp, Linux Enterprise High Performance Computing and 2 more 2020-03-06 7.2 HIGH 7.8 HIGH
A Improper Control of Generation of Code vulnerability in the packaging of pcp of SUSE Linux Enterprise High Performance Computing 15-ESPOS, SUSE Linux Enterprise High Performance Computing 15-LTSS, SUSE Linux Enterprise Module for Development Tools 15, SUSE Linux Enterprise Module for Development Tools 15-SP1, SUSE Linux Enterprise Module for Open Buildservice Development Tools 15, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 15, SUSE Linux Enterprise Software Development Kit 12-SP4, SUSE Linux Enterprise Software Development Kit 12-SP5; openSUSE Leap 15.1 allows the user pcp to run code as root by placing it into /var/log/pcp/configs.sh This issue affects: SUSE Linux Enterprise High Performance Computing 15-ESPOS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise High Performance Computing 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Module for Development Tools 15-SP1 pcp versions prior to 4.3.1-3.5.3. SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server 15-LTSS pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Server for SAP 15 pcp versions prior to 3.11.9-5.8.1. SUSE Linux Enterprise Software Development Kit 12-SP4 pcp versions prior to 3.11.9-6.14.1. SUSE Linux Enterprise Software Development Kit 12-SP5 pcp versions prior to 3.11.9-6.14.1. openSUSE Leap 15.1 pcp versions prior to 4.3.1-lp151.2.3.1.
CVE-2020-8129 1 Script-manager Project 1 Script-manager 2020-02-21 7.5 HIGH 9.8 CRITICAL
An unintended require vulnerability in script-manager npm package version 0.8.6 and earlier may allow attackers to execute arbitrary code.
CVE-2013-4211 1 Openx 1 Openx 2020-02-19 7.5 HIGH 9.8 CRITICAL
A Code Execution Vulnerability exists in OpenX Ad Server 2.8.10 due to a backdoor in flowplayer-3.1.1.min.js library, which could let a remote malicious user execute arbitrary PHP code
CVE-2019-17268 1 Omniauth-weibo-oauth2 Project 1 Omniauth-weibo-oauth2 2020-02-11 7.5 HIGH 9.8 CRITICAL
The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected.
CVE-2003-0498 1 Intersystems 1 Cache Database 2020-02-10 7.2 HIGH N/A
Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges.
CVE-2014-2909 1 Siemens 6 Simatic S7 Cpu-1211c, Simatic S7 Cpu 1200 Firmware, Simatic S7 Cpu 1212c and 3 more 2020-02-10 5.8 MEDIUM N/A
CRLF injection vulnerability in the integrated web server on Siemens SIMATIC S7-1200 CPU devices 2.x and 3.x allows remote attackers to inject arbitrary HTTP headers via unspecified vectors.
CVE-2019-14867 2 Fedoraproject, Freeipa 2 Fedora, Freeipa 2020-02-04 6.8 MEDIUM 8.8 HIGH
A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.