Vulnerabilities (CVE)

Filtered by CWE-94
Total 4525 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-39908 1 Gitlab 1 Gitlab 2024-11-21 5.0 MEDIUM 6.5 MEDIUM
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI.
CVE-2021-39503 1 Phpmywind 1 Phpmywind 2024-11-21 6.5 MEDIUM 7.2 HIGH
PHPMyWind 5.6 is vulnerable to Remote Code Execution. Becase input is filtered without "<, >, ?, =, `,...." In WriteConfig() function, an attacker can inject php code to /include/config.cache.php file.
CVE-2021-39402 1 Maianmedia 1 Maianaffiliate 2024-11-21 6.5 MEDIUM 7.2 HIGH
MaianAffiliate v.1.0 is suffers from code injection by adding a new product via the admin panel. The injected payload is reflected on the affiliate main page for all authenticated and unauthenticated visitors.
CVE-2021-39383 1 Diaowen 1 Dwsurvey 2024-11-21 7.5 HIGH 9.8 CRITICAL
DWSurvey v3.2.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /sysuser/SysPropertyAction.java.
CVE-2021-39160 1 Jupyterhub 1 Nbgitpuller 2024-11-21 6.8 MEDIUM 9.6 CRITICAL
nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment. This has been resolved in version 0.10.2 and all users are advised to upgrade. No work around exist for users who can not upgrade.
CVE-2021-39159 1 Jupyter 1 Binderhub 2024-11-21 7.5 HIGH 9.6 CRITICAL
BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, where providing BinderHub with maliciously crafted input could execute code in the BinderHub context, with the potential to egress credentials of the BinderHub deployment, including JupyterHub API tokens, kubernetes service accounts, and docker registry credentials. This may provide the ability to manipulate images and other user created pods in the deployment, with the potential to escalate to the host depending on the underlying kubernetes configuration. Users are advised to update to version 0.2.0-n653. If users are unable to update they may disable the git repo provider by specifying the `BinderHub.repo_providers` as a workaround.
CVE-2021-39128 1 Atlassian 2 Jira Data Center, Jira Server 2024-11-21 6.5 MEDIUM 7.2 HIGH
Affected versions of Atlassian Jira Server or Data Center using the Jira Service Management addon allow remote attackers with JIRA Administrators access to execute arbitrary Java code via a server-side template injection vulnerability in the Email Template feature. The affected versions of Jira Server or Data Center are before version 8.13.12, and from version 8.14.0 before 8.19.1.
CVE-2021-39115 1 Atlassian 2 Jira Service Desk, Jira Service Management 2024-11-21 9.0 HIGH 7.2 HIGH
Affected versions of Atlassian Jira Service Management Server and Data Center allow remote attackers with "Jira Administrators" access to execute arbitrary Java code or run arbitrary system commands via a Server_Side Template Injection vulnerability in the Email Template feature. The affected versions are before version 4.13.9, and from version 4.14.0 before 4.18.0.
CVE-2021-39114 1 Atlassian 2 Confluence Data Center, Confluence Server 2024-11-21 6.5 MEDIUM 8.8 HIGH
Affected versions of Atlassian Confluence Server and Data Center allow users with a valid account on a Confluence Data Center instance to execute arbitrary Java code or run arbitrary system commands by injecting an OGNL payload. The affected versions are before version 6.13.23, from version 6.14.0 before 7.4.11, from version 7.5.0 before 7.11.6, and from version 7.12.0 before 7.12.5.
CVE-2021-38967 1 Ibm 1 Mq Appliance 2024-11-21 4.6 MEDIUM 6.7 MEDIUM
IBM MQ Appliance 9.2 CD and 9.2 LTS could allow a local privileged user to inject and execute malicious code. IBM X-Force ID: 212441.
CVE-2021-38745 1 Chamilo 1 Chamilo 2024-11-21 4.6 MEDIUM 6.8 MEDIUM
Chamilo LMS v1.11.14 was discovered to contain a zero click code injection vulnerability which allows attackers to execute arbitrary code via a crafted plugin. This vulnerability is triggered through user interaction with the attacker's profile page.
CVE-2021-38450 1 Trane 5 Tracer Concierge, Tracer Sc, Tracer Sc\+ and 2 more 2024-11-21 6.5 MEDIUM 9.9 CRITICAL
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
CVE-2021-38448 1 Trane 6 Ascend Air-cooled Chiller Acr, Intellipak 1, Intellipak 2 and 3 more 2024-11-21 4.6 MEDIUM 7.5 HIGH
The affected controllers do not properly sanitize the input containing code syntax. As a result, an attacker could craft code to alter the intended controller flow of the software.
CVE-2021-38196 1 Better-macro Project 1 Better-macro 2024-11-21 7.5 HIGH 9.8 CRITICAL
An issue was discovered in the better-macro crate through 2021-07-22 for Rust. It intentionally demonstrates that remote attackers can execute arbitrary code via proc-macros, and otherwise has no legitimate purpose.
CVE-2021-37694 1 Asyncapi 1 Java-spring-cloud-stream-template 2024-11-21 6.8 MEDIUM 8.7 HIGH
@asyncapi/java-spring-cloud-stream-template generates a Spring Cloud Stream (SCSt) microservice. In versions prior to 0.7.0 arbitrary code injection was possible when an attacker controls the AsyncAPI document. An example is provided in GHSA-xj6r-2jpm-qvxp. There are no mitigations available and all users are advised to update.
CVE-2021-37626 1 Contao 1 Contao 2024-11-21 6.5 MEDIUM 7.2 HIGH
Contao is an open source CMS that allows you to create websites and scalable web applications. In affected versions it is possible to load PHP files by entering insert tags in the Contao back end. Installations are only affected if they have untrusted back end users who have the rights to modify fields that are shown in the front end. Update to Contao 4.4.56, 4.9.18 or 4.11.7 to resolve. If you cannot update then disable the login for untrusted back end users.
CVE-2021-37384 1 Furukawa 8 423-41w\/ac, 423-41w\/ac Firmware, Ld420-10r and 5 more 2024-11-21 N/A 9.8 CRITICAL
RCE (Remote Code Execution) vulnerability was found in some Furukawa ONU models, this vulnerability allows remote unauthenticated users to send arbitrary commands to the device via web interface.
CVE-2021-37097 1 Huawei 3 Emui, Harmonyos, Magic Ui 2024-11-21 7.8 HIGH 7.5 HIGH
There is a Code Injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to system restart.
CVE-2021-37079 1 Huawei 1 Harmonyos 2024-11-21 6.4 MEDIUM 9.1 CRITICAL
There is a Improper Input Validation vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may lead to delete arbitrary file by system_app permission.
CVE-2021-36985 1 Huawei 2 Emui, Magic Ui 2024-11-21 7.8 HIGH 7.5 HIGH
There is a Code injection vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may exhaust system resources and cause the system to restart.