Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2020-11056 1Barrelstrengthdesign 1Sprout Forms Nov 21, 2024 May 7, 2020 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0...Show more In Sprout Forms before 3.9.0, there is a potential Server-Side Template Injection vulnerability when using custom fields in Notification Emails which could lead to the execution of Twig code. This has been fixed in 3.9.0.Show less
CVE-2020-10176 1Assaabloy 1Yale Wipc 301w Firmware Nov 21, 2024 May 7, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43_p1 devices allow Eval Injection of commands.
CVE-2020-7609 1Node Rules Project 1Node Rules Nov 21, 2024 Apr 27, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 node-rules including 3.0.0 and prior to 5.0.0 allows injection of arbitrary commands. The argument rules of function "fromJSON()" can be controlled by users without any sanitization.
CVE-2020-5739 1Grandstream 6Gxp1610 Firmware Gxp1615 FirmwareGxp1620 Firmware+3 more Nov 21, 2024 Apr 14, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker adds an OpenVPN up script to the phone's VPN settings via the "Additional Settings" field i...Show more Grandstream GXP1600 series firmware 1.0.4.152 and below is vulnerable to authenticated remote command execution when an attacker adds an OpenVPN up script to the phone's VPN settings via the "Additional Settings" field in the web interface. When the VPN's connection is established, the user defined script is executed with root privileges.Show less
CVE-2019-19089 1Hitachienergy 1Esoms Nov 21, 2024 Apr 2, 2020 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared....Show more For ABB eSOMS versions 4.0 to 6.0.3, the X-Content-Type-Options Header is missing in the HTTP response, potentially causing the response body to be interpreted and displayed as different content type other than declared. A possible attack scenario would be unauthorized code execution via text interpreted as JavaScript.Show less
CVE-2020-10948 1Alienform2 Project 1Alienform2 Nov 21, 2024 Apr 1, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exp...Show more Jon Hedley AlienForm2 (typically installed as af.cgi or alienform.cgi) 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests.Show less
CVE-2019-9163 1Marchnetworks 1Command Client Nov 21, 2024 Apr 1, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The connection initiation process in March Networks Command Client before 2.7.2 allows remote attackers to execute arbitrary code via crafted XAML objects.
CVE-2020-5558 1Cutephp 1Cutenews Nov 21, 2024 Mar 25, 2020 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 CuteNews 2.0.1 allows remote authenticated attackers to execute arbitrary PHP code via unspecified vectors.
CVE-2020-5553 1Mailform 1Mailform Nov 21, 2024 Mar 25, 2020 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 mailform version 1.04 allows remote attackers to execute arbitrary PHP code via unspecified vectors.
CVE-2020-10684 3Debian FedoraprojectRedhat 5Ansible Ansible TowerDebian Linux+2 more Nov 21, 2024 Mar 24, 2020 N/A· v4 7.1 HIGH· v3 3.6 LOW· v2 A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled,...Show more A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.Show less
CVE-2020-7480 1Schneider Electric 11Andover Continuum 5720 Firmware Andover Continuum 5740 FirmwareAndover Continuum 9200 Firmware+8 more Nov 21, 2024 Mar 23, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker i...Show more A CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability exists in Andover Continuum (All versions), which could cause files on the application server filesystem to be viewable when an attacker interferes with an application's processing of XML data.Show less
CVE-2020-6650 1Eaton 1Ups Companion Nov 21, 2024 Mar 23, 2020 N/A· v4 8.8 HIGH· v3 5.8 MEDIUM· v2 UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” i...Show more UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates available. This results in arbitrary code execution on the machine where software is installed.Show less
CVE-2020-8140 1Nextcloud 1Desktop Nov 21, 2024 Mar 20, 2020 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 A code injection in Nextcloud Desktop Client 2.6.2 for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the environment.
CVE-2020-8137 1Blamer Project 1Blamer Nov 21, 2024 Mar 20, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Code injection vulnerability in blamer 1.0.0 and earlier may result in remote code execution when the input can be controlled by an attacker.
CVE-2019-16108 1Phpbb 1Phpbb Nov 21, 2024 Mar 20, 2020 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 phpBB 3.2.7 allows adding an arbitrary Cascading Style Sheets (CSS) token sequence to a page through BBCode.
CVE-2019-18582 1Dell 2Emc Data Protection Advisor Emc Integrated Data Protection Appliance Firmware Nov 21, 2024 Mar 18, 2020 N/A· v4 7.2 HIGH· v3 9.0 HIGH· v2 Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated...Show more Dell EMC Data Protection Advisor versions 6.3, 6.4, 6.5, 18.2 versions prior to patch 83, and 19.1 versions prior to patch 71 contain a server-side template injection vulnerability in the REST API. A remote authenticated malicious user with administrative privileges may potentially exploit this vulnerability to inject malicious report generation scripts in the server. This may lead to OS command execution as the regular user runs the DPA service on the affected system.Show less
CVE-2019-19208 1Codiad 1Codiad Nov 21, 2024 Mar 16, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Codiad Web IDE through 2.8.4 allows PHP Code injection.
CVE-2020-8141 1Dot Project 1Dot Nov 21, 2024 Mar 15, 2020 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 The dot package v1.1.2 uses Function() to compile templates. This can be exploited by the attacker if they can control the given template or if they can control the value set on Object.prototype.
CVE-2020-10389 1Chadhaajay 1Phpkb Nov 21, 2024 Mar 12, 2020 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 admin/save-settings.php in Chadha PHPKB Standard Multi-Language 9 allows remote attackers to achieve Code Execution by injecting PHP code into any POST parameter when saving global settings.
CVE-2020-5203 1Fatfreeframework 1Fat Free Framework Nov 21, 2024 Mar 11, 2020 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In Fat-Free Framework 3.7.1, attackers can achieve arbitrary code execution if developers choose to pass user controlled input (e.g., $_REQUEST, $_GET, or $_POST) to the framework's Clear method.

Previous 1...198199200...324 Next