Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-4031 1Getcujo 1Smart Firewall Nov 21, 2024 Oct 31, 2019 N/A· v4 10.0 CRITICAL· v3 10.0 HIGH· v2 An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from...Show more An exploitable vulnerability exists in the safe browsing function of the CUJO Smart Firewall, version 7003. The flaw lies in the way the safe browsing function parses HTTP requests. The server hostname is extracted from captured HTTP/HTTPS requests and inserted as part of a Lua statement without prior sanitization, which results in arbitrary Lua script execution in the kernel. An attacker could send an HTTP request to exploit this vulnerability.Show less
CVE-2019-10211 1Postgresql 1Postgresql Nov 21, 2024 Oct 29, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory.
CVE-2019-17526 1Sagemath 1Sagemathcell Nov 21, 2024 Oct 18, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underl...Show more An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').popen('whoami').read() line. NOTE: the vendor's position is that the product is "vulnerable by design" and the current behavior will be retainedShow less
CVE-2019-17613 1Qibosoft 1Qibosoft Nov 21, 2024 Oct 15, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/...Show more qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter.Show less
CVE-2019-17408 1Zzzcms 1Zzzphp Nov 21, 2024 Oct 14, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr.
CVE-2019-3652 1Mcafee 1Endpoint Security Nov 21, 2024 Oct 9, 2019 N/A· v4 5.3 MEDIUM· v3 4.6 MEDIUM· v2 Code Injection vulnerability in EPSetup.exe in McAfee Endpoint Security (ENS) Prior to 10.6.1 October 2019 Update allows local user to get their malicious code installed by the ENS installer via code injection into EPSet...Show more Code Injection vulnerability in EPSetup.exe in McAfee Endpoint Security (ENS) Prior to 10.6.1 October 2019 Update allows local user to get their malicious code installed by the ENS installer via code injection into EPSetup.exe by an attacker with access to the installer.Show less
CVE-2018-21023 1Centreon 1Centreon Web Nov 21, 2024 Oct 8, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.
CVE-2019-17310 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user.
CVE-2019-17309 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user.
CVE-2019-17308 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user.
CVE-2019-17307 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user.
CVE-2019-17306 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user.
CVE-2019-17305 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user.
CVE-2019-17304 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user.
CVE-2019-17303 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user.
CVE-2019-17302 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user.
CVE-2019-17301 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user.
CVE-2019-17300 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user.
CVE-2019-17299 1Sugarcrm 1Sugarcrm Nov 21, 2024 Oct 7, 2019 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user.
CVE-2019-15746 1Sitos 1Sitos Six Nov 21, 2024 Oct 7, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 SITOS six Build v6.2.1 allows an attacker to inject arbitrary PHP commands. As a result, an attacker can compromise the running server and execute system commands in the context of the web user.

Previous 1...201202203...324 Next