Total
4525 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2022-0885 | 1 Memberhero | 1 Member Hero | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments. | |||||
| CVE-2022-0845 | 1 Lightningai | 1 Pytorch Lightning | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Code Injection in GitHub repository pytorchlightning/pytorch-lightning prior to 1.6.0. | |||||
| CVE-2022-0819 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Code Injection in GitHub repository dolibarr/dolibarr prior to 15.0.1. | |||||
| CVE-2022-0811 | 1 Kubernetes | 1 Cri-o | 2024-11-21 | 9.0 HIGH | 8.8 HIGH |
| A flaw was found in CRI-O in the way it set kernel options for a pod. This issue allows anyone with rights to deploy a pod on a Kubernetes cluster that uses the CRI-O runtime to achieve a container escape and arbitrary code execution as root on the cluster node, where the malicious pod was deployed. | |||||
| CVE-2022-0661 | 1 Ad Injection Project | 1 Ad Injection | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| The Ad Injection WordPress plugin through 1.2.0.19 does not properly sanitize the body of the adverts injected into the pages, allowing a high privileged user (Admin+) to inject arbitrary HTML or javascript even with unfiltered_html disallowed, leading to a stored cross-site scripting (XSS) vulnerability. Further it is also possible to inject PHP code, leading to a Remote Code execution (RCE) vulnerability, even if the DISALLOW_FILE_EDIT and DISALLOW_FILE_MOD constants are both set. | |||||
| CVE-2022-0578 | 1 Publify Project | 1 Publify | 2024-11-21 | 6.4 MEDIUM | 6.5 MEDIUM |
| Code Injection in GitHub repository publify/publify prior to 9.2.8. | |||||
| CVE-2022-0323 | 1 Mustache Project | 1 Mustache | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| Improper Neutralization of Special Elements Used in a Template Engine in Packagist mustache/mustache prior to 2.14.1. | |||||
| CVE-2021-4434 | 1 Warfareplugins | 1 Social Warfare | 2024-11-21 | N/A | 10.0 CRITICAL |
| The Social Warfare plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.5.2 via the 'swp_url' parameter. This allows attackers to execute code on the server. | |||||
| CVE-2021-4315 | 1 Psiturk | 1 Psiturk | 2024-11-21 | 5.2 MEDIUM | 5.5 MEDIUM |
| A vulnerability has been found in NYUCCL psiTurk up to 3.2.0 and classified as critical. This vulnerability affects unknown code of the file psiturk/experiment.py. The manipulation of the argument mode leads to improper neutralization of special elements used in a template engine. The exploit has been disclosed to the public and may be used. Upgrading to version 3.2.1 is able to address this issue. The name of the patch is 47787e15cecd66f2aa87687bf852ae0194a4335f. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-219676. | |||||
| CVE-2021-46362 | 1 Magnolia-cms | 1 Magnolia Cms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-Side Template Injection (SSTI) vulnerability in the Registration and Forgotten Password forms of Magnolia v6.2.3 and below allows attackers to execute arbitrary code via a crafted payload entered into the fullname parameter. | |||||
| CVE-2021-46118 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code. | |||||
| CVE-2021-46117 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code. | |||||
| CVE-2021-46114 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| jpress v 4.2.0 is vulnerable to RCE via io.jpress.module.product.ProductNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code. | |||||
| CVE-2021-46063 | 1 Mingsoft | 1 Mcms | 2024-11-21 | 6.4 MEDIUM | 9.1 CRITICAL |
| MCMS v5.2.5 was discovered to contain a Server Side Template Injection (SSTI) vulnerability via the Template Management module. | |||||
| CVE-2021-45806 | 1 Jpress | 1 Jpress | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| jpress v4.2.0 admin panel provides a function through which attackers can modify the template and inject some malicious code. | |||||
| CVE-2021-45029 | 1 Apache | 1 Shenyu | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. This issue affected Apache ShenYu 2.4.0 and 2.4.1. | |||||
| CVE-2021-44978 | 1 Idreamsoft | 1 Icms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| iCMS <= 8.0.0 allows users to add and render a comtom template, which has a SSTI vulnerability which causes remote code execution. | |||||
| CVE-2021-44734 | 1 Lexmark | 467 6500e, 6500e Firmware, B2236 and 464 more | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Embedded web server input sanitization vulnerability in Lexmark devices through 2021-12-07, which can which can lead to remote code execution on the device. | |||||
| CVE-2021-44618 | 1 Nystudio107 | 1 Seomatic | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A Server-side Template Injection (SSTI) vulnerability exists in Nystudio107 Seomatic 3.4.12 in src/helpers/UrlHelper.php via the host header. | |||||
| CVE-2021-44521 | 1 Apache | 1 Cassandra | 2024-11-21 | 8.5 HIGH | 9.1 CRITICAL |
| When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE. | |||||