Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-6823 1Schneider Electric 1Proclima Nov 21, 2024 Jul 15, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of Pr...Show more A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.Show less
CVE-2019-0330 1Sap 1Diagnostics Agent Nov 21, 2024 Jul 10, 2019 N/A· v4 9.1 CRITICAL· v3 6.5 MEDIUM· v2 The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could...Show more The OS Command Plugin in the transaction GPA_ADMIN and the OSCommand Console of SAP Diagnostic Agent (LM-Service), version 7.2, allow an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.Show less
CVE-2019-13354 1Strong Password Project 1Strong Password Nov 21, 2024 Jul 8, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6.
CVE-2019-13372 1Dlink 1Central Wifimanager Nov 21, 2024 Jul 6, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injec...Show more /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication.Show less
CVE-2019-12844 1Jetbrains 1Teamcity Nov 21, 2024 Jul 3, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3.
CVE-2019-12843 1Jetbrains 1Teamcity Nov 21, 2024 Jul 3, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3.
CVE-2019-10100 1Jetbrains 1Youtrack Integration Nov 21, 2024 Jul 3, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The attacker could add an Issue macro to the page in Confluence, and use a combination of a vali...Show more In JetBrains YouTrack Confluence plugin versions before 1.8.1.3, it was possible to achieve Server Side Template Injection. The attacker could add an Issue macro to the page in Confluence, and use a combination of a valid id field and specially crafted code in the link-text-template field to execute code remotely.Show less
CVE-2019-5443 3Haxx NetappOracle 9Curl Enterprise Manager Ops CenterHttp Server+6 more Nov 21, 2024 Jul 2, 2019 N/A· v4 7.8 HIGH· v3 4.4 MEDIUM· v2 A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If tha...Show more A non-privileged user or program can put code and a config file in a known non-privileged path (under C:/usr/local/) that will make curl <= 7.65.1 automatically run the code (as an openssl "engine") on invocation. If that curl is invoked by a privileged user it can do anything it wants.Show less
CVE-2019-1577 1Paloaltonetworks 1Traps Nov 21, 2024 Jul 1, 2019 N/A· v4 6.3 MEDIUM· v3 6.5 MEDIUM· v2 Code injection vulnerability in Palo Alto Networks Traps 5.0.5 and earlier may allow an authenticated attacker to inject arbitrary JavaScript or HTML.
CVE-2018-17170 1Teamwire 1Teamwire Nov 21, 2024 Jun 28, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Grouptime Teamwire Desktop Client 1.5.1 prior to 1.9.0 on Windows allows code injection via a template, leading to remote code execution. All backend versions prior to prod-2018-11-13-15-00-42 are affected.
CVE-2018-18836 1My Netdata 1Netdata Nov 21, 2024 Jun 18, 2019 N/A· v4 6.5 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Netdata 1.10.0. JSON injection exists via the api/v1/data tqx parameter because of web_client_api_request_v1_data in web/api/web_api_v1.c.
CVE-2018-18879 1Columbiaweather 1Weather Microserver Firmware Nov 21, 2024 Jun 18, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In firmware version MS_2.6.9900 of Columbia Weather MicroServer, an authenticated web user can pipe commands directly to the underlying operating system as user input is not sanitized in networkdiags.php.
CVE-2019-8324 4Debian OpensuseRedhat+1 more 4Debian Linux Enterprise LinuxLeap+1 more Nov 21, 2024 Jun 17, 2019 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eva...Show more An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check.Show less
CVE-2019-12761 1Python 1Pyxdg Nov 21, 2024 Jun 6, 2019 N/A· v4 7.5 HIGH· v3 5.1 MEDIUM· v2 A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the...Show more A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call.Show less
CVE-2017-14853 1Orpak 1Siteomat Jun 2, 2026 Jun 3, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run s...Show more The Orpak SiteOmat OrCU component is vulnerable to code injection, for all versions prior to 2017-09-25, due to a search query that uses a direct shell command. By tampering with the request, an attacker is able to run shell commands and receive valid output from the device.Show less
CVE-2019-9891 1Tldp 1Advanced Bash Scripting Guide Nov 21, 2024 May 31, 2019 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 The function getopt_simple as described in Advanced Bash Scripting Guide (ISBN 978-1435752184) allows privilege escalation and execution of commands when used in a shell script called, for example, via sudo.
CVE-2019-6816 1Schneider Electric 1Modicon Quantum Firmware Nov 21, 2024 May 22, 2019 N/A· v4 9.1 CRITICAL· v3 6.4 MEDIUM· v2 In Modicon Quantum all firmware versions, a CWE-94: Code Injection vulnerability could cause an unauthorized firmware modification with possible Denial of Service when using Modbus protocol.
CVE-2019-0091 1Intel 2Converged Security And Management Engine Trusted Execution Technology Nov 21, 2024 May 17, 2019 N/A· v4 7.8 HIGH· v3 7.2 HIGH· v2 Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privileg...Show more Code injection vulnerability in installer for Intel(R) CSME before versions 11.8.65, 11.11.65, 11.22.65, 12.0.35 and Intel(R) TXE 3.1.65, 4.0.15 may allow an unprivileged user to potentially enable escalation of privilege via local access.Show less
CVE-2019-11642 1Oneshield 1Oneshield Policy Nov 21, 2024 May 8, 2019 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 A log poisoning vulnerability has been discovered in the OneShield Policy (Dragon Core) framework before 5.1.10. Authenticated remote adversaries can poison log files by entering malicious payloads in either headers or f...Show more A log poisoning vulnerability has been discovered in the OneShield Policy (Dragon Core) framework before 5.1.10. Authenticated remote adversaries can poison log files by entering malicious payloads in either headers or form elements. These payloads are then executed via a client side debugging console. This is predicated on the debugging console and Java Bean being made available to the deployed application.Show less
CVE-2019-11594 1Getadblock 1Adblock Nov 21, 2024 Apr 29, 2019 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 In AdBlock before 3.45.0, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the sc...Show more In AdBlock before 3.45.0, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect.Show less

Previous 1...204205206...324 Next