Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2019-0247 1Sap 1Cloud Connector Nov 21, 2024 Jan 8, 2019 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 SAP Cloud Connector, before version 2.11.3, allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
CVE-2019-3575 1Sqla Yaml Fixtures Project 1Sqla Yaml Fixtures Nov 21, 2024 Jan 3, 2019 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Sqla_yaml_fixtures 0.9.1 allows local users to execute arbitrary python code via the fixture_text argument in sqla_yaml_fixtures.load.
CVE-2018-20605 1Txjia 1Imcat Nov 21, 2024 Dec 30, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 imcat 4.4 allows remote attackers to execute arbitrary PHP code by using root/run/adm.php to modify the boot/bootskip.php file.
CVE-2018-20599 1Ucms Project 1Ucms Nov 21, 2024 Dec 30, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 UCMS 1.4.7 allows remote attackers to execute arbitrary PHP code by entering this code during an index.php sadmin_fileedit action.
CVE-2018-7801 1Schneider Electric 1Evlink Parking Firmware Nov 21, 2024 Dec 24, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could enable access with maximum privileges when a remote code execution is performed.
CVE-2018-20325 1Definitions Project 1Definitions Nov 21, 2024 Dec 21, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 There is a vulnerability in load() method in definitions/parser.py in the Danijar Hafner definitions package for Python. It can execute arbitrary python commands resulting in command execution.
CVE-2018-1000881 1Traccar 1Server Nov 21, 2024 Dec 20, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. Thi...Show more Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote Command Execution. This attack appear to be exploitable via Remote: web application request by a self-registered user. This vulnerability appears to have been fixed in 4.1 and later.Show less
CVE-2018-20300 1Phome 1Empirecms Nov 21, 2024 Dec 20, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file.
CVE-2018-20133 1Ymlref Project 1Ymlref Nov 21, 2024 Dec 17, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 ymlref allows code injection.
CVE-2018-20027 1Lisa Lab 1Pylearn2 Nov 21, 2024 Dec 17, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The yaml_parse.load method in Pylearn2 allows code injection.
CVE-2018-18249 1Icinga 1Icinga Web 2 Nov 21, 2024 Dec 17, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_...Show more Icinga Web 2 before 2.6.2 allows injection of PHP ini-file directives via vectors involving environment variables as the channel to send information to the attacker, such as a name=${PATH}_${APACHE_RUN_DIR}_${APACHE_RUN_USER} parameter to /icingaweb2/navigation/add or /icingaweb2/dashboard/new-dashlet.Show less
CVE-2018-20129 1Dedecms 1Dedecms Nov 21, 2024 Dec 13, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conju...Show more An issue was discovered in DedeCMS V5.7 SP2. uploads/include/dialog/select_images_post.php allows remote attackers to upload and execute arbitrary PHP code via a double extension and a modified ".php" substring, in conjunction with the image/jpeg content type, as demonstrated by the filename=1.jpg.p*hp value.Show less
CVE-2018-8540 1Microsoft 1.net Framework Nov 21, 2024 Dec 12, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 4.6, Micros...Show more A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 4.6.2.Show less
CVE-2018-19595 1Pbootcms 1Pbootcms Nov 21, 2024 Nov 27, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); UR...Show more PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect apps\home\controller\ParserController.php parserIfLabel protection mechanism.Show less
CVE-2018-19520 2Php Sdcms 2Php Sdcms Nov 21, 2024 Nov 25, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e...Show more An issue was discovered in SDCMS 1.6 with PHP 5.x. app/admin/controller/themecontroller.php uses a check_bad function in an attempt to block certain PHP functions such as eval, but does not prevent use of preg_replace 'e' calls, allowing users to execute arbitrary code by leveraging access to admin template management.Show less
CVE-2018-19463 1Zblogcn 1Z Blogphp Nov 21, 2024 Nov 22, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOT...Show more zb_system/function/lib/upload.php in Z-BlogPHP through 1.5.1 allows remote attackers to execute arbitrary PHP code by using the image/jpeg content type in an upload to the zb_system/admin/index.php?act=UploadMng URI. NOTE: The vendor's position is "We have no dynamic including. No one can run PHP by uploading an image in current version." It also requires authenticationShow less
CVE-2018-19404 1Yxcms 1Yxcms Nov 21, 2024 Nov 21, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at a...Show more In YXcms 1.4.7, protected/apps/appmanage/controller/indexController.php allow remote authenticated Administrators to execute any PHP code by creating a ZIP archive containing a config.php file, hosting the .zip file at an external URL, and visiting index.php?r=appmanage/index/onlineinstall&url= followed by that URL. This is related to the onlineinstall and import functions.Show less
CVE-2018-8415 1Microsoft 9Powershell Core Windows 10Windows 7+6 more Nov 21, 2024 Nov 14, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A tampering vulnerability exists in PowerShell that could allow an attacker to execute unlogged code, aka "Microsoft PowerShell Tampering Vulnerability." This affects Windows 7, PowerShell Core 6.1, Windows Server 2012 R...Show more A tampering vulnerability exists in PowerShell that could allow an attacker to execute unlogged code, aka "Microsoft PowerShell Tampering Vulnerability." This affects Windows 7, PowerShell Core 6.1, Windows Server 2012 R2, Windows RT 8.1, PowerShell Core 6.0, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.Show less
CVE-2018-2491 1Sap 1Fiori Client Nov 21, 2024 Nov 13, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-i...Show more When opening a deep link URL in SAP Fiori Client with log level set to "Debug", the client application logs the URL to the log file. If this URL contains malicious JavaScript code it can eventually run inside the built-in log viewer of the application in case user opens the viewer and taps on the hyperlink in the viewer. SAP Fiori Client version 1.11.5 in Google Play store addresses these issues and users must update to that version.Show less
CVE-2018-1808 1Ibm 1Websphere Commerce Nov 21, 2024 Nov 13, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 IBM WebSphere Commerce 9.0.0.0 through 9.0.0.6 could allow some server-side code injection due to inadequate input control. IBM X-Force ID: 149828.

Previous 1...207208209...324 Next