Total
4516 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-7625 | 1 Fiyo | 1 Fiyo Cms | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In Fiyo CMS 2.x through 2.0.7, attackers may upload a webshell via the content parameter to "/dapur/apps/app_theme/libs/save_file.php" and then execute code. | |||||
| CVE-2017-1001002 | 1 Mathjs | 1 Math.js | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. | |||||
| CVE-2017-2809 | 1 Ansible-vault Project | 1 Ansible-vault | 2025-04-20 | 6.8 MEDIUM | 7.5 HIGH |
| An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability. | |||||
| CVE-2017-5543 | 1 Intelliants | 1 Subrion | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request. | |||||
| CVE-2015-6576 | 1 Atlassian | 1 Bamboo | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource. | |||||
| CVE-2015-0249 | 1 Apache | 1 Roller | 2025-04-20 | 6.5 MEDIUM | 7.2 HIGH |
| The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL). | |||||
| CVE-2017-6782 | 1 Cisco | 1 Prime Infrastructure | 2025-04-20 | 4.9 MEDIUM | 5.4 MEDIUM |
| A vulnerability in the administrative web interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to modify a page in the web interface of the affected application. The vulnerability is due to improper sanitization of parameter values by the affected application. An attacker could exploit this vulnerability by injecting malicious code into an affected parameter and persuading a user to access a web page that triggers the rendering of the injected code. Cisco Bug IDs: CSCve47074. Known Affected Releases: 3.2(0.0). | |||||
| CVE-2015-3638 | 1 Phpmybackuppro | 1 Phpmybackuppro | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable. | |||||
| CVE-2017-9807 | 1 Openwebif Project | 1 Openwebif | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands via api/saveconfig. | |||||
| CVE-2017-3753 | 1 Lenovo | 219 63, 63 Firmware, H50-30g and 216 more | 2025-04-20 | 7.2 HIGH | 6.8 MEDIUM |
| A vulnerability has been identified in some Lenovo products that use UEFI (BIOS) code developed by American Megatrends, Inc. (AMI). With this vulnerability, conditions exist where an attacker with administrative privileges or physical access to a system may be able to run specially crafted code that can allow them to bypass system protections such as Device Guard and Hyper-V. | |||||
| CVE-2017-6455 | 1 Ntp | 1 Ntp | 2025-04-20 | 4.4 MEDIUM | 7.0 HIGH |
| NTP before 4.2.8p10 and 4.3.x before 4.3.94, when using PPSAPI, allows local users to gain privileges via a DLL in the PPSAPI_DLLS environment variable. | |||||
| CVE-2017-7321 | 1 Modx | 1 Modx Revolution | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | |||||
| CVE-2017-16783 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| In CMS Made Simple 2.1.6, there is Server-Side Template Injection via the cntnt01detailtemplate parameter. | |||||
| CVE-2016-5072 | 1 Oxidforge | 1 Oxid Eshop | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| OXID eShop before 2016-06-13 allows remote attackers to execute arbitrary code via a GET or POST request to the oxuser class. Fixed versions are Enterprise Edition v5.1.12, Enterprise Edition v5.2.9, Professional Edition v4.8.12, Professional Edition v4.9.9, Community Edition v4.8.12, Community Edition v4.9.9. | |||||
| CVE-2017-7494 | 2 Debian, Samba | 2 Debian Linux, Samba | 2025-04-20 | 10.0 HIGH | 9.8 CRITICAL |
| Samba since version 3.5.0 and before 4.6.4, 4.5.10 and 4.4.14 is vulnerable to remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. | |||||
| CVE-2017-1000196 | 1 Octobercms | 1 October | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server. | |||||
| CVE-2016-1602 | 1 Suse | 3 Linux Enterprise Desktop, Linux Enterprise Server, Suse Linux Enterprise Server | 2025-04-20 | 7.2 HIGH | 7.8 HIGH |
| A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root). | |||||
| CVE-2016-8354 | 1 Schneider-electric | 1 Unity Pro | 2025-04-20 | 5.1 MEDIUM | 7.0 HIGH |
| An issue was discovered in Schneider Electric Unity PRO prior to V11.1. Unity projects can be compiled as x86 instructions and loaded onto the PLC Simulator delivered with Unity PRO. These x86 instructions are subsequently executed directly by the simulator. A specially crafted patched Unity project file can make the simulator execute malicious code by redirecting the control flow of these instructions. | |||||
| CVE-2017-9442 | 1 Bigtreecms | 1 Bigtree Cms | 2025-04-20 | 6.5 MEDIUM | 8.8 HIGH |
| BigTree CMS through 4.2.18 allows remote authenticated users to execute arbitrary code by uploading a crafted package containing a PHP web shell, related to extraction of a ZIP archive to filename patterns such as cache/package/xxx/yyy.php. This issue exists in core\admin\modules\developer\extensions\install\unpack.php and core\admin\modules\developer\packages\install\unpack.php. NOTE: the vendor states "You must implicitly trust any package or extension you install as they all have the ability to write PHP files. | |||||
| CVE-2017-13676 | 1 Norton | 1 Remove \& Reinstall | 2025-04-20 | 4.4 MEDIUM | 7.0 HIGH |
| Norton Remove & Reinstall can be susceptible to a DLL preloading vulnerability. These types of issues occur when an application looks to call a DLL for execution and an attacker provides a malicious DLL to use instead. Depending on how the application is configured, it will generally follow a specific search path to locate the DLL. The vulnerability can be exploited by a simple file write (or potentially an over-write) which results in a foreign DLL running under the context of the application. A Norton Remove & Reinstall update, version 4.4.0.58, has been released which addresses the aforementioned vulnerability. | |||||