Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-19909 1Sfu 1Open Journal System Nov 21, 2024 Dec 19, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Man...Show more An issue was discovered in Public Knowledge Project (PKP) pkp-lib before 3.1.2-2, as used in Open Journal Systems (OJS) before 3.1.2-2. Code injection can occur in the OJS report generator if an authenticated Journal Manager user visits a crafted URL, because unserialize is used.Show less
CVE-2019-7486 1Sonicwall 1Sma 100 Firmware Nov 21, 2024 Dec 19, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 Code injection in SonicWall SMA100 allows an authenticated user to execute arbitrary code in viewcacert CGI script. This vulnerability impacted SMA100 version 9.0.0.4 and earlier.
CVE-2019-15599 1Tree Kill Project 1Tree Kill Nov 21, 2024 Dec 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Code Injection exists in tree-kill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
CVE-2019-15598 1Treekill Project 1Treekill Nov 21, 2024 Dec 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A Code Injection exists in treekill on Windows which allows a remote code execution when an attacker is able to control the input into the command.
CVE-2019-15597 1Node Df Project 1Node Df Nov 21, 2024 Dec 18, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A code injection exists in node-df v0.1.4 that can allow an attacker to remote code execution by unsanitized input.
CVE-2019-4716 1Ibm 1Planning Analytics Jan 14, 2026 Dec 18, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 17...Show more IBM Planning Analytics 2.0.0 through 2.0.8 is vulnerable to a configuration overwrite that allows an unauthenticated user to login as "admin", and then execute code as root or SYSTEM via TM1 scripting. IBM X-Force ID: 172094.Show less
CVE-2019-16774 1Phpfastcache 1Phpfastcache Nov 21, 2024 Dec 12, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2019-10769 1Safer Eval Project 1Safer Eval Nov 21, 2024 Dec 6, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 safer-eval is a npm package to sandbox the he evaluation of code used within the eval function. Affected versions of this package are vulnerable to Arbitrary Code Execution via generating a RangeError.
CVE-2019-16885 1Okay Cms 1Okaycms Nov 21, 2024 Dec 3, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the...Show more In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the cookie price_filter, and second in api/Comparison.php via the cookie comparison.Show less
CVE-2019-3665 1Mcafee 1Webadvisor Nov 21, 2024 Dec 3, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 Code Injection vulnerability in the web interface in McAfee Web Advisor (WA) prior to 4.1.1.48 allows remote unauthenticated attacker to allow the browser to render a website which Web Advisor would normally have blocked...Show more Code Injection vulnerability in the web interface in McAfee Web Advisor (WA) prior to 4.1.1.48 allows remote unauthenticated attacker to allow the browser to render a website which Web Advisor would normally have blocked via a carefully crafted web site.Show less
CVE-2019-19502 1Maleck 1Image Uploader And Browser For Ckeditor Nov 21, 2024 Dec 2, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Code injection in pluginconfig.php in Image Uploader and Browser for CKEditor before 4.1.9 allows remote authenticated users to execute arbitrary PHP code.
CVE-2019-14867 2Fedoraproject Freeipa 2Fedora Freeipa Nov 21, 2024 Nov 27, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, w...Show more A flaw was found in IPA, all 4.6.x versions before 4.6.7, all 4.7.x versions before 4.7.4 and all 4.8.x versions before 4.8.3, in the way the internal function ber_scanf() was used in some components of the IPA server, which parsed kerberos key data. An unauthenticated attacker who could trigger parsing of the krb principal key could cause the IPA server to crash or in some conditions, cause arbitrary code to be executed on the server hosting the IPA server.Show less
CVE-2019-16255 4Debian OpensuseOracle+1 more 4Debian Linux GraalvmLeap+1 more Nov 21, 2024 Nov 26, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can explo...Show more Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.Show less
CVE-2019-13714 2Google Opensuse 2Backports Sle Chrome Nov 21, 2024 Nov 25, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL.
CVE-2019-3427 1Zte 1Zxcdn Iamweb Firmware Nov 21, 2024 Nov 22, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a code injection vulnerability. An attacker could exploit the vulnerability to inject malicious code into the management page, resulting in users’ inform...Show more The version V6.01.03.01 of ZTE ZXCDN IAMWEB product is impacted by a code injection vulnerability. An attacker could exploit the vulnerability to inject malicious code into the management page, resulting in users’ information leakage.Show less
CVE-2019-18889 2Fedoraproject Sensiolabs 2Fedora Symfony Nov 21, 2024 Nov 21, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache...Show more An issue was discovered in Symfony 3.4.0 through 3.4.34, 4.2.0 through 4.2.11, and 4.3.0 through 4.3.7. Serializing certain cache adapter interfaces could result in remote code injection. This is related to symfony/cache.Show less
CVE-2019-5509 1Netapp 1Ontap Select Deploy Administration Utility Nov 21, 2024 Nov 21, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and u...Show more ONTAP Select Deploy administration utility versions 2.11.2 through 2.12.2 are susceptible to a code injection vulnerability which when successfully exploited could allow an unauthenticated remote attacker to enable and use a privileged user account.Show less
CVE-2019-19010 2Fedoraproject Limnoria Project 2Fedora Limnoria Nov 21, 2024 Nov 16, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and i...Show more Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.Show less
CVE-2019-15388 1Coolpad 1Mega 5 Firmware Nov 21, 2024 Nov 14, 2019 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer...Show more The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user's screen, factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user's text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user's notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user's text messages, and more.Show less
CVE-2013-1666 1Foswiki 1Foswiki Nov 21, 2024 Nov 1, 2019 N/A· v4 9.8 CRITICAL· v3 6.8 MEDIUM· v2 Foswiki before 1.1.8 contains a code injection vulnerability in the MAKETEXT macro.

Previous 1...200201202...324 Next