Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-17827 1Hisiphp 1Hisiphp Nov 21, 2024 Oct 1, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php.
CVE-2018-17364 1Otcms 1Otcms Nov 21, 2024 Sep 23, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via the accBackupDir parameter.
CVE-2018-17173 1Lg 1Supersign Cms Nov 21, 2024 Sep 21, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.
CVE-2018-17207 1Awesomemotive 1Duplicator Feb 2, 2026 Sep 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup...Show more An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution.Show less
CVE-2018-14630 1Moodle 1Moodle Nov 21, 2024 Sep 17, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, i...Show more moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source.Show less
CVE-2018-11781 4Apache CanonicalDebian+1 more 7Debian Linux Enterprise Linux DesktopEnterprise Linux Server+4 more Nov 21, 2024 Sep 17, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 Apache SpamAssassin 3.4.2 fixes a local user code injection in the meta rule syntax.
CVE-2018-11780 4Apache CanonicalDebian+1 more 4Debian Linux PdfinfoSpamassassin+1 more Nov 21, 2024 Sep 17, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A potential Remote Code Execution bug exists with the PDFInfo plugin in Apache SpamAssassin before 3.4.2.
CVE-2018-17134 1Phpmywind 1Phpmywind Nov 21, 2024 Sep 17, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field.
CVE-2018-17133 1Phpmywind 1Phpmywind Nov 21, 2024 Sep 17, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.
CVE-2018-17132 1Phpmywind 1Phpmywind Nov 21, 2024 Sep 17, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.
CVE-2018-17131 1Phpmywind 1Phpmywind Nov 21, 2024 Sep 17, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.
CVE-2018-17126 1Chshcms 1Cscms Nov 21, 2024 Sep 17, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.
CVE-2018-17036 1Ucms Project 1Ucms Nov 21, 2024 Sep 14, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.
CVE-2018-17030 1Bigtreecms 1Bigtree Cms Nov 21, 2024 Sep 14, 2018 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php.
CVE-2018-16975 1Elefantcms 1Elefant Nov 21, 2024 Sep 12, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php conten...Show more An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php content, because of insufficient input validation in apps/designer/handlers/csspreview.php.Show less
CVE-2018-3686 1Intel 1Sa 00086 Detection Tool Nov 21, 2024 Sep 12, 2018 N/A· v4 6.7 MEDIUM· v3 4.6 MEDIUM· v2 Code injection vulnerability in INTEL-SA-00086 Detection Tool before version 1.2.7.0 may allow a privileged user to potentially execute arbitrary code via local access.
CVE-2018-15886 1Monstra 1Monstra Nov 21, 2024 Sep 10, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP...Show more Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring.Show less
CVE-2018-16771 1Hoosk 1Hoosk Nov 21, 2024 Sep 10, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php.
CVE-2018-16604 1Nibbleblog 1Nibbleblog Nov 21, 2024 Sep 6, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., "${phpin...Show more An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., "${phpinfo()}").Show less
CVE-2018-0675 1Hibara 1Attachecase Nov 21, 2024 Sep 4, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 AttacheCase ver.3.3.0.0 and earlier allows an arbitrary script execution via unspecified vectors.

Previous 1...209210211...324 Next