Vulnerabilities (CVE)

CWE filter

CWE-94

Filter

2375 total CVE
CVE Vendors Products Updated CVSS
CVE-2018-19595 1 Pbootcms 1 Pbootcms 2019-04-17 7.5
PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect...
CVE-2017-16871 1 Updraftplus 1 Updraftplus 2019-04-16 6.8
** DISPUTED ** The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before deleting a file associated with the...
CVE-2019-6713 1 Thinkcmf 1 Thinkcmf 2019-04-12 7.5
app\admin\controller\RouteController.php in ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code by using vectors involving portal/List/index and list/:id to inject this code into data\conf\route.php, as demonstrated by a...
CVE-2019-10125 1 Linux 1 Linux Kernel 2019-04-11 10.0
An issue was discovered in aio_poll() in fs/aio.c in the Linux kernel through 5.0.4. A file may be released by aio_poll_wake() if an expected event is triggered immediately (e.g., by the close of a pair of pipes) after the return of vfs_poll(),...
CVE-2019-10124 1 Linux 1 Linux Kernel 2019-04-11 7.8
An issue was discovered in the hwpoison implementation in mm/memory-failure.c in the Linux kernel before 5.0.4. When soft_offline_in_use_page() runs on a thp tail page after pmd is split, an attacker can cause a denial of service (BUG).
CVE-2019-10842 1 Getbootstrap 1 Bootstrap-sass 2019-04-11 10.0
Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which...
CVE-2019-10633 1 Zyxel 1 Nas326 Firmware 2019-04-10 6.5
An eval injection vulnerability in the Python web server routing on the Zyxel NAS 326 version 5.21 and below allows a remote authenticated attacker to execute arbitrary code via the tjp6jp6y4, simZysh, and ck6fup6 APIs.
CVE-2019-10905 2019-04-10 6.8
Parsedown before 1.7.2, when safe mode is used and HTML markup is disabled, might allow attackers to execute arbitrary JavaScript code if a script (already running on the affected page) executes the contents of any element with a specific class....
CVE-2019-10867 1 Pimcore 1 Pimcore 2019-04-08 6.5
An issue was discovered in Pimcore before 5.7.1. An attacker with classes permission can send a POST request to /admin/class/bulk-commit, which will make it possible to exploit the unserialize function when passing untrusted values in the data...
CVE-2019-7539 1 Ipycache Project 1 Ipycache 2019-03-25 6.8
A code injection issue was discovered in ipycache through 2016-05-31.
CVE-2019-9752 1 Otrs 1 Otrs 2019-03-21 6.5
An issue was discovered in Open Ticket Request System (OTRS) 5.x before 5.0.34, 6.x before 6.0.16, and 7.x before 7.0.4. An attacker who is logged into OTRS as an agent or a customer user may upload a carefully crafted resource in order to cause...
CVE-2019-7653 1 Rdflib Project 1 Rdflib 2019-03-21 7.5
The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in this directory, as demonstrated by rdf2dot. This...
CVE-2014-0111 1 Apache 1 Syncope 2019-03-21 6.5
Apache Syncope 1.0.0 before 1.0.9 and 1.1.0 before 1.1.7 allows remote administrators to execute arbitrary Java code via vectors related to Apache Commons JEXL expressions, "derived schema definition," "user / role templates," and "account links...
CVE-2019-8942 2 Wordpress, Debian 2 Wordpress, Debian Linux 2019-03-20 6.5
WordPress before 4.9.9 and 5.x before 5.0.1 allows remote code execution because an _wp_attached_file Post Meta entry can be changed to an arbitrary string, such as one ending with a .jpg?file.php substring. An attacker with author privileges can...
CVE-2003-0498 1 Intersystems 1 Cache Database 2019-03-18 7.2
Cach? Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges.
CVE-2018-10517 1 Cmsmadesimple 1 Cms Made Simple 2019-03-15 6.5
In CMS Made Simple (CMSMS) through 2.2.7, the "module import" operation in the admin dashboard contains a remote code execution vulnerability, exploitable by an admin user, because an XML Package can contain base64-encoded PHP code in a data element.
CVE-2019-9829 1 Maccms 1 Maccms 2019-03-15 6.5
Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition...
CVE-2018-1260 2 Pivotal, Pivotal Software 2 Spring Security Oauth, Spring Security Oauth 2019-03-13 7.5
Spring Security OAuth, versions 2.3 prior to 2.3.3, 2.2 prior to 2.2.2, 2.1 prior to 2.1.2, 2.0 prior to 2.0.15 and older unsupported versions contains a remote code execution vulnerability. A malicious user or attacker can craft an authorization...
CVE-2018-5158 4 Mozilla, Debian, Redhat and 1 more 11 Firefox, Firefox Esr, Debian Linux and 8 more 2019-03-13 6.8
The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This...
CVE-2017-10844 1 Basercms 1 Basercms 2019-03-12 6.5
baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspecified vectors.