Vulnerabilities (CVE)

CWE filter

CWE-94

Filter

2358 total CVE
CVE Vendors Products Updated CVSS
CVE-2019-7653 1 Rdflib Project 1 Rdflib 2019-02-21 7.5
The Debian python-rdflib-tools 4.2.2-1 package for RDFLib 4.2.2 has CLI tools that can load Python modules from the current working directory, allowing code injection, because "python -m" looks in this directory, as demonstrated by rdf2dot. This...
CVE-2018-3700 2019-02-20 4.6
Code injection vulnerability in the installer for Intel(R) USB 3.0 eXtensible Host Controller Driver for Microsoft Windows 7 before version 5.0.4.43v2 may allow a user to potentially enable escalation of privilege via local access.
CVE-2019-8908 1 Wtcms Project 1 Wtcms 2019-02-19 7.5
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting -> Mailbox configuration -> Registration email template" screen, and uploading an image file, as demonstrated by a .php...
CVE-2019-8341 1 Pocoo 1 Jinja2 2019-02-16 7.5
An issue was discovered in Jinja2 2.10. The from_string function is prone to Server Side Template Injection (SSTI) where it takes the "source" parameter as a template object, renders it, and then returns it. The attacker can exploit it with...
CVE-2019-6289 1 Dedecms 1 Dedecms 2019-02-13 6.5
uploads/include/dialog/select_soft.php in DedeCMS V57_UTF8_SP2 allows remote attackers to execute arbitrary PHP code by uploading with a safe file extension and then renaming with a mixed-case variation of the .php extension, as demonstrated by...
CVE-2019-7720 1 Taogogo 1 Taocms 2019-02-13 7.5
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request.
CVE-2018-20768 2019-02-13 7.5
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a...
CVE-2018-0461 1 Cisco 1 Ip Phone 8800 Series Firmware 2019-02-12 6.8
A vulnerability in the Cisco IP Phone 8800 Series Software could allow an unauthenticated, remote attacker to conduct an arbitrary script injection attack on an affected device. The vulnerability exists because the software running on an affected...
CVE-2019-7731 1 Mywebsql 1 Mywebsql 2019-02-12 7.5
MyWebSQL 3.7 has a remote code execution (RCE) vulnerability after an attacker writes shell code into the database, and executes the Backup Database function with a .php filename for the backup's archive file.
CVE-2019-7719 1 Nibbleblog 1 Nibbleblog 2019-02-11 7.5
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request.
CVE-2018-20775 1 Frog Cms Project 1 Frog Cms 2019-02-11 6.5
admin/?/plugin/file_manager in Frog CMS 0.9.5 allows PHP code execution by creating a new .php file containing PHP code, and then visiting this file under the public/ URI.
CVE-2018-20773 1 Frog Cms Project 1 Frog Cms 2019-02-11 6.5
Frog CMS 0.9.5 allows PHP code execution by visiting admin/?/page/edit/1 and inserting additional <?php lines.
CVE-2018-20772 1 Frog Cms Project 1 Frog Cms 2019-02-11 6.5
Frog CMS 0.9.5 allows PHP code execution via <?php to the admin/?/layout/edit/1 URI.
CVE-2019-7580 1 Thinkcmf 1 Thinkcmf 2019-02-08 6.5
ThinkCMF 5.0.190111 allows remote attackers to execute arbitrary PHP code via the portal/admin_category/addpost.html alias parameter because the mishandling of a single quote character allows data/conf/route.php injection.
CVE-2017-18356 2019-02-07 6.5
In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted...
CVE-2018-19002 2019-02-06 8.3
LCDS Laquis SCADA prior to version 4.1.0.4150 allows improper control of generation of code when opening a specially crafted project file, which may allow remote code execution, data exfiltration, or cause a system crash.
CVE-2018-20129 1 Dedecms 1 Dedecms 2019-02-05 6.5
An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg...
CVE-2018-20300 1 Phome 1 Empirecms 2019-02-05 7.5
Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file.
CVE-2018-19127 1 Phpcms 1 Phpcms 2019-02-04 7.5
A code injection vulnerability in /type.php in PHPCMS 2008 allows attackers to write arbitrary content to a website cache file with a controllable filename, leading to arbitrary code execution. The PHP code is sent via the template parameter, and...
CVE-2018-19520 2 Php, Sdcms 2 Php, Sdcms 2019-02-04 6.5
An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to...