Total
2906 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-9774 | 1 Horde | 1 Horde Image Api | 2018-08-18 | 6.5 MEDIUM | 8.8 HIGH |
| Remote Code Execution was found in Horde_Image 2.x before 2.5.0 via a crafted GET request. Exploitation requires authentication. | |||||
| CVE-2013-1756 | 2 Mark Evans, Ruby On Rails | 2 Dragonfly Gem, Ruby On Rails | 2018-08-13 | 7.5 HIGH | N/A |
| The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request. | |||||
| CVE-2018-12531 | 1 Metinfo | 1 Metinfo | 2018-08-13 | 7.5 HIGH | 9.8 CRITICAL |
| An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271. | |||||
| CVE-2017-7798 | 3 Debian, Mozilla, Redhat | 9 Debian Linux, Firefox, Firefox Esr and 6 more | 2018-08-09 | 6.8 MEDIUM | 8.8 HIGH |
| The Developer Tools feature suffers from a XUL injection vulnerability due to improper sanitization of the web page source code. In the worst case, this could allow arbitrary code execution when opening a malicious page with the style editor tool. This vulnerability affects Firefox ESR < 52.3 and Firefox < 55. | |||||
| CVE-2018-6512 | 1 Puppet | 3 Pe-razor-server, Puppet Enterprise, Razor-server | 2018-08-01 | 7.5 HIGH | 9.8 CRITICAL |
| The previous version of Puppet Enterprise 2018.1 is vulnerable to unsafe code execution when upgrading pe-razor-server. Affected releases are Puppet Enterprise: 2018.1.x versions prior to 2018.1.1 and razor-server and pe-razor-server prior to 1.9.0.0. | |||||
| CVE-2018-8938 | 1 Ipswitch | 1 Whatsup Gold | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| A Code Injection issue was discovered in DlgSelectMibFile.asp in Ipswitch WhatsUp Gold before 2018 (18.0). Malicious actors can inject a specially crafted SNMP MIB file that could allow them to execute arbitrary commands and code on the WhatsUp Gold server. | |||||
| CVE-2018-10429 | 1 Cosmocms | 1 Cosmo | 2018-06-13 | 7.5 HIGH | 9.8 CRITICAL |
| Cosmo 1.0.0Beta6 allows attackers to execute arbitrary PHP code via the Database Prefix field on the Database Info screen of install.php. | |||||
| CVE-2018-10574 | 1 Bigtreecms | 1 Bigtree Cms | 2018-06-07 | 7.5 HIGH | 9.8 CRITICAL |
| site/index.php/admin/trees/add/ in BigTree 4.2.22 and earlier allows remote attackers to upload and execute arbitrary PHP code because the BigTreeStorage class in core/inc/bigtree/apis/storage.php does not prevent uploads of .htaccess files. | |||||
| CVE-2018-10740 | 1 Axublog | 1 Axublog | 2018-06-07 | 7.5 HIGH | 9.8 CRITICAL |
| Axublog 1.1.0 allows remote Code Execution as demonstrated by injection of PHP code (contained in the webkeywords parameter) into the cmsconfig.php file. | |||||
| CVE-2017-1721 | 1 Ibm | 1 Qradar Security Information And Event Manager | 2018-05-25 | 6.8 MEDIUM | 5.6 MEDIUM |
| IBM Security QRadar SIEM 7.2 and 7.3 could allow an unauthenticated user to execute code remotely with lower level privileges under unusual circumstances. IBM X-Force ID: 134810. | |||||
| CVE-2018-10515 | 1 Cmsmadesimple | 1 Cms Made Simple | 2018-05-24 | 6.5 MEDIUM | 7.2 HIGH |
| In CMS Made Simple (CMSMS) through 2.2.7, the "file unpack" operation in the admin dashboard contains a remote code execution vulnerability exploitable by an admin user because a .php file can be present in the extracted ZIP archive. | |||||
| CVE-2018-10236 | 1 Poscms | 1 Poscms | 2018-05-22 | 6.5 MEDIUM | 7.2 HIGH |
| POSCMS 3.2.18 allows remote attackers to execute arbitrary PHP code via the diy\dayrui\controllers\admin\Syscontroller.php 'add' function because an attacker can control the value of $data['name'] with no restrictions, and this value is written to the FCPATH.$file file. | |||||
| CVE-2018-10235 | 1 Poscms | 1 Poscms | 2018-05-22 | 6.5 MEDIUM | 7.2 HIGH |
| POSCMS 3.2.10 allows remote attackers to execute arbitrary PHP code via the diy\module\member\controllers\admin\Setting.php 'index' function because an attacker can control the value of $cache['setting']['ucssocfg'] in diy\module\member\models\Member_model.php and write this code into the api/ucsso/config.php file. | |||||
| CVE-2018-10133 | 1 Pbootcms | 1 Pbootcms | 2018-05-22 | 7.5 HIGH | 9.8 CRITICAL |
| PbootCMS v0.9.8 allows PHP code injection via an IF label in index.php/About/6.html or admin.php/Site/index.html, related to the parserIfLabel function in \apps\home\controller\ParserController.php. | |||||
| CVE-2018-1028 | 1 Microsoft | 6 Excel Services, Office, Office 2010 and 3 more | 2018-05-21 | 9.3 HIGH | 8.8 HIGH |
| A remote code execution vulnerability exists when the Office graphics component improperly handles specially crafted embedded fonts, aka "Microsoft Office Graphics Remote Code Execution Vulnerability." This affects Word, Microsoft Office, Microsoft SharePoint, Excel, Microsoft SharePoint Server. | |||||
| CVE-2018-9848 | 1 Gxlcms | 1 Gxlcms Qy | 2018-05-14 | 7.5 HIGH | 9.8 CRITICAL |
| In Gxlcms QY v1.0.0713, the upload function in Lib\Lib\Action\Admin\UploadAction.class.php allows remote attackers to execute arbitrary PHP code by first using an Admin-Admin-Configsave request to change the config[upload_class] value from jpg,gif,png,jpeg to jpg,gif,png,jpeg,php and then making an Admin-Upload-Upload request. | |||||
| CVE-2018-9847 | 1 Gxlcms | 1 Gxlcms Qy | 2018-05-14 | 7.5 HIGH | 9.8 CRITICAL |
| In Gxlcms QY v1.0.0713, the update function in Lib\Lib\Action\Admin\TplAction.class.php allows remote attackers to execute arbitrary PHP code by placing this code into a template. | |||||
| CVE-2008-4687 | 1 Mantis | 1 Mantis | 2018-05-12 | 9.0 HIGH | N/A |
| manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_api.php. | |||||
| CVE-2018-9175 | 1 Dedecms | 1 Dedecms | 2018-05-02 | 7.5 HIGH | 9.8 CRITICAL |
| DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the egroup parameter to uploads/dede/stepselect_main.php because code within the database is accessible to uploads/dede/sys_cache_up.php. | |||||
| CVE-2018-9174 | 1 Dedecms | 1 Dedecms | 2018-05-02 | 7.5 HIGH | 9.8 CRITICAL |
| sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control. | |||||