Total
2906 CVE
CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
---|---|---|---|---|---|
CVE-2022-46648 | 2 Debian, Ruby-git Project | 2 Debian Linux, Ruby-git | 2023-02-02 | N/A | 8.0 HIGH |
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318. | |||||
CVE-2019-4716 | 1 Ibm | 1 Planning Analytics | 2023-02-01 | 10.0 HIGH | 9.8 CRITICAL |
IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094. | |||||
CVE-2018-7801 | 1 Schneider-electric | 2 Evlink Parking, Evlink Parking Firmware | 2023-02-01 | 6.8 MEDIUM | 8.8 HIGH |
A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed. | |||||
CVE-2016-10541 | 1 Shell-quote Project | 1 Shell-quote | 2023-01-31 | 7.5 HIGH | 9.8 CRITICAL |
The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection. | |||||
CVE-2022-4300 | 1 Xjd2020 | 1 Fastcms | 2023-01-30 | N/A | 8.8 HIGH |
A vulnerability was found in FastCMS. It has been rated as critical. This issue affects some unknown processing of the file /template/edit of the component Template Handler. The manipulation leads to injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-214901 was assigned to this vulnerability. | |||||
CVE-2020-36655 | 1 Yiiframework | 1 Gii | 2023-01-30 | N/A | 8.8 HIGH |
Yii Yii2 Gii before 2.2.2 allows remote attackers to execute arbitrary code via the Generator.php messageCategory field. The attacker can embed arbitrary PHP code into the model file. | |||||
CVE-2022-34456 | 1 Dell | 1 Emc Metro Node | 2023-01-25 | N/A | 8.8 HIGH |
Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application. | |||||
CVE-2023-22731 | 1 Shopware | 1 Shopware | 2023-01-24 | N/A | 8.8 HIGH |
Shopware is an open source commerce platform based on Symfony Framework and Vue js. In a Twig environment **without the Sandbox extension**, it is possible to refer to PHP functions in twig filters like `map`, `filter`, `sort`. This allows a template to call any global PHP function and thus execute arbitrary code. The attacker must have access to a Twig environment in order to exploit this vulnerability. This problem has been fixed with 6.4.18.1 with an override of the specified filters until the integration of the Sandbox extension has been finished. Users are advised to upgrade. Users of major versions 6.1, 6.2, and 6.3 may also receive this fix via a plugin. | |||||
CVE-2022-4060 | 1 Odude | 1 User Post Gallery | 2023-01-24 | N/A | 9.8 CRITICAL |
The User Post Gallery WordPress plugin through 2.19 does not limit what callback functions can be called by users, making it possible to any visitors to run code on sites running it. | |||||
CVE-2020-8140 | 2 Apple, Nextcloud | 2 Macos, Desktop | 2023-01-24 | 4.6 MEDIUM | 6.7 MEDIUM |
A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment. | |||||
CVE-2023-22853 | 1 Tiki | 1 Tiki | 2023-01-23 | N/A | 8.8 HIGH |
Tiki before 24.1, when feature_create_webhelp is enabled, allows lib/structures/structlib.php PHP Object Injection because of an eval. | |||||
CVE-2022-42268 | 1 Nvidia | 6 Nvidia Isaac Sim, Omniverse Audio2face, Omniverse Code and 3 more | 2023-01-23 | N/A | 7.8 HIGH |
Omniverse Kit contains a vulnerability in the reference applications Create, Audio2Face, Isaac Sim, View, Code, and Machinima. These applications allow executable Python code to be embedded in Universal Scene Description (USD) files to customize all aspects of a scene. If a user opens a USD file that contains embedded Python code in one of these applications, the embedded Python code automatically runs with the privileges of the user who opened the file. As a result, an unprivileged remote attacker could craft a USD file containing malicious Python code and persuade a local user to open the file, which may lead to information disclosure, data tampering, and denial of service. | |||||
CVE-2021-39144 | 5 Debian, Fedoraproject, Netapp and 2 more | 15 Debian Linux, Fedora, Snapmanager and 12 more | 2023-01-20 | 6.0 MEDIUM | 8.5 HIGH |
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose. | |||||
CVE-2023-0022 | 1 Sap | 1 Businessobjects Business Intelligence Platform | 2023-01-18 | N/A | 8.8 HIGH |
SAP BusinessObjects Business Intelligence Analysis edition for OLAP allows an authenticated attacker to inject malicious code that can be executed by the application over the network. On successful exploitation, an attacker can perform operations that may completely compromise the application causing a high impact on the confidentiality, integrity, and availability of the application. | |||||
CVE-2008-1997 | 1 Ibm | 1 Db2 | 2023-01-17 | 9.0 HIGH | N/A |
Unspecified vulnerability in the ADMIN_SP_C2 procedure in IBM DB2 8 before FP16, 9.1 before FP4a, and 9.5 before FP1 allows remote authenticated users to execute arbitrary code via unknown vectors. NOTE: the ADMIN_SP_C issue is already covered by CVE-2008-0699. | |||||
CVE-2022-37933 | 1 Hpe | 4 Superdome Flex, Superdome Flex 280, Superdome Flex 280 Firmware and 1 more | 2023-01-12 | N/A | 7.8 HIGH |
A potential security vulnerability has been identified in HPE Superdome Flex and Superdome Flex 280 servers. The vulnerability could be exploited to allow local unauthorized data injection. HPE has made the following software updates to resolve the vulnerability in HPE Superdome Flex firmware 3.60.50 and below and Superdome Flex 280 servers firmware 1.40.60 and below. | |||||
CVE-2023-0048 | 1 Daloradius | 1 Daloradius | 2023-01-10 | N/A | 8.8 HIGH |
Code Injection in GitHub repository lirantal/daloradius prior to master-branch. | |||||
CVE-2015-10009 | 1 Nonfiction | 1 Nterchange | 2023-01-09 | N/A | 9.8 CRITICAL |
A vulnerability was found in nterchange up to 4.1.0. It has been rated as critical. This issue affects the function getContent of the file app/controllers/code_caller_controller.php. The manipulation of the argument q with the input %5C%27%29;phpinfo%28%29;/* leads to code injection. The exploit has been disclosed to the public and may be used. Upgrading to version 4.1.1 is able to address this issue. The name of the patch is fba7d89176fba8fe289edd58835fe45080797d99. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-217187. | |||||
CVE-2022-48198 | 2 Ntpd Driver Project, Openrobotics | 2 Ntpd Driver, Robot Operating System | 2023-01-09 | N/A | 9.8 CRITICAL |
The ntpd_driver component before 1.3.0 and 2.x before 2.2.0 for Robot Operating System (ROS) allows attackers, who control the source code of a different node in the same ROS application, to change a robot's behavior. This occurs because a topic name depends on the attacker-controlled time_ref_topic parameter. | |||||
CVE-2021-24942 | 1 Menu Item Visibility Control Project | 1 Menu Item Visibility Control | 2023-01-05 | N/A | 7.2 HIGH |
The Menu Item Visibility Control WordPress plugin through 0.5 doesn't sanitize and validate the "Visibility logic" option for WordPress menu items, which could allow highly privileged users to execute arbitrary PHP code even in a hardened environment. |