Total
5312 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2017-6186 | 1 Bitdefender | 3 Antivirus Plus, Internet Security, Total Security | 2025-04-20 | N/A |
| Code injection vulnerability in Bitdefender Total Security 12.0 (and earlier), Internet Security 12.0 (and earlier), and Antivirus Plus 12.0 (and earlier) allows a local attacker to bypass a self-protection mechanism, inject arbitrary code, and take full control of any Bitdefender process via a "DoubleAgent" attack. One perspective on this issue is that (1) these products do not use the Protected Processes feature, and therefore an attacker can enter an arbitrary Application Verifier Provider DLL under Image File Execution Options in the registry; (2) the self-protection mechanism is intended to block all local processes (regardless of privileges) from modifying Image File Execution Options for these products; and (3) this mechanism can be bypassed by an attacker who temporarily renames Image File Execution Options during the attack. | ||||
| CVE-2014-9463 | 2 Vbseo, Vbulletin | 2 Vbseo, Vbulletin | 2025-04-20 | N/A |
| functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php. | ||||
| CVE-2017-7411 | 1 Enalean | 1 Tuleap | 2025-04-20 | N/A |
| An issue was discovered in Enalean Tuleap 9.6 and prior versions. The vulnerability exists because the User::getRecentElements() method is using the unserialize() function with a preference value that can be arbitrarily manipulated by malicious users through the REST API interface, and this can be exploited to inject arbitrary PHP objects into the application scope, allowing an attacker to perform a variety of attacks (including but not limited to Remote Code Execution). | ||||
| CVE-2017-6782 | 1 Cisco | 1 Prime Infrastructure | 2025-04-20 | N/A |
| A vulnerability in the administrative web interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to modify a page in the web interface of the affected application. The vulnerability is due to improper sanitization of parameter values by the affected application. An attacker could exploit this vulnerability by injecting malicious code into an affected parameter and persuading a user to access a web page that triggers the rendering of the injected code. Cisco Bug IDs: CSCve47074. Known Affected Releases: 3.2(0.0). | ||||
| CVE-2017-15376 | 1 Mobatek | 1 Mobaxterm | 2025-04-20 | 9.8 Critical |
| The TELNET service in Mobatek MobaXterm 10.4 does not require authentication, which allows remote attackers to execute arbitrary commands via TCP port 23. | ||||
| CVE-2017-16682 | 1 Sap | 2 Business Application Software Integrated Solution, Netweaver Internet Transaction Server | 2025-04-20 | N/A |
| SAP NetWeaver Internet Transaction Server (ITS), SAP Basis from 7.00 to 7.02, 7.30, 7.31, 7.40, from 7.50 to 7.52, allows an attacker with administrator credentials to inject code that can be executed by the application and thereby control the behavior of the application. | ||||
| CVE-2017-16871 | 1 Updraftplus | 1 Updraftplus | 2025-04-20 | N/A |
| The UpdraftPlus plugin through 1.13.12 for WordPress allows remote PHP code execution because the plupload_action function in /wp-content/plugins/updraftplus/admin.php has a race condition before deleting a file associated with the name parameter. NOTE: the vendor reports that this does not cross a privilege boundary | ||||
| CVE-2017-0899 | 3 Debian, Redhat, Rubygems | 10 Debian Linux, Enterprise Linux, Enterprise Linux Desktop and 7 more | 2025-04-20 | N/A |
| RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. | ||||
| CVE-2017-8912 | 1 Cmsmadesimple | 1 Cms Made Simple | 2025-04-20 | 7.2 High |
| CMS Made Simple (CMSMS) 2.1.6 allows remote authenticated administrators to execute arbitrary PHP code via the code parameter to admin/editusertag.php, related to the CreateTagFunction and CallUserTag functions. NOTE: the vendor reportedly has stated this is "a feature, not a bug. | ||||
| CVE-2017-7324 | 1 Modx | 1 Modx Revolution | 2025-04-20 | 9.8 Critical |
| setup/templates/findcore.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the core_path parameter. | ||||
| CVE-2017-7402 | 1 Lucidcrew | 1 Pixie | 2025-04-20 | N/A |
| Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg. | ||||
| CVE-2017-7321 | 1 Modx | 1 Modx Revolution | 2025-04-20 | 9.8 Critical |
| setup/controllers/welcome.php in MODX Revolution 2.5.4-pl and earlier allows remote attackers to execute arbitrary PHP code via the config_key parameter to the setup/index.php?action=welcome URI. | ||||
| CVE-2017-1001004 | 1 Typed Function Project | 1 Typed Function | 2025-04-20 | N/A |
| typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. | ||||
| CVE-2017-1001002 | 1 Mathjs | 1 Math.js | 2025-04-20 | N/A |
| math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution. | ||||
| CVE-2017-1000196 | 1 Octobercms | 1 October | 2025-04-20 | N/A |
| October CMS build 412 is vulnerable to PHP code execution in the asset manager functionality resulting in site compromise and possibly other applications on the server. | ||||
| CVE-2017-7570 | 1 Pivotx | 1 Pivotx | 2025-04-20 | N/A |
| PivotX 2.3.11 allows remote authenticated Advanced users to execute arbitrary PHP code by performing an upload with a safe file extension (such as .jpg) and then invoking the duplicate function to change to the .php extension. | ||||
| CVE-2017-14764 | 1 Genixcms | 1 Genixcms | 2025-04-20 | N/A |
| In the Upload Modules page in GeniXCMS 1.1.4, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a module. | ||||
| CVE-2016-1602 | 1 Suse | 3 Linux Enterprise Desktop, Linux Enterprise Server, Suse Linux Enterprise Server | 2025-04-20 | N/A |
| A code injection in the supportconfig data collection tool in supportutils in SUSE Linux Enterprise Server 12 and 12-SP1 and SUSE Linux Enterprise Desktop 12 and 12-SP1 could be used by local attackers to execute code as the user running supportconfig (usually root). | ||||
| CVE-2015-8771 | 1 Gosa Project | 1 Gosa Plugin | 2025-04-20 | N/A |
| The generate_smb_nt_hash function in include/functions.inc in GOsa allows remote attackers to execute arbitrary commands via a crafted password. | ||||
| CVE-2014-4000 | 1 Cacti | 1 Cacti | 2025-04-20 | N/A |
| Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()). | ||||