Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-0674 1Hibara 1Attachecase Nov 21, 2024 Sep 4, 2018 N/A· v4 7.8 HIGH· v3 6.8 MEDIUM· v2 AttacheCase ver.2.8.4.0 and earlier allows an arbitrary script execution via unspecified vectors.
CVE-2018-16343 1Seacms 1Seacms Nov 21, 2024 Sep 2, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS.
CVE-2018-6499 1Microfocus 8Data Center Automation Hybrid Cloud ManagementNetwork Operations Management+5 more Nov 21, 2024 Aug 30, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Cont...Show more Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05, Service Virtualization (SV) with floating licenses using Any version using APLS older than 10.7, Unified Functional Testing (UFT) with floating licenses using Any version using APLS older than 10.7, Network Virtualization (NV) with floating licenses using Any version using APLS older than 10.7 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution.Show less
CVE-2018-6498 1Microfocus 5Data Center Automation Hybrid Cloud ManagementNetwork Operations Management+2 more Nov 21, 2024 Aug 30, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Cont...Show more Remote Code Execution in the following products Hybrid Cloud Management Containerized Suite HCM2017.11, HCM2018.02, HCM2018.05, Operations Bridge Containerized Suite 2017.11, 2018.02, 2018.05, Data Center Automation Containerized Suite 2017.01 until 2018.05, Service Management Automation Suite 2017.11, 2018.02, 2018.05 and Network Operations Management (NOM) Suite CDF 2017.11, 2018.02, 2018.05 will allow Remote Code Execution.Show less
CVE-2011-2767 4Apache CanonicalDebian+1 more 7Debian Linux Enterprise LinuxEnterprise Linux Desktop+4 more Nov 21, 2024 Aug 26, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code fo...Show more mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing without also permitting unprivileged users to run Perl code in the context of the user account that runs Apache HTTP Server processes.Show less
CVE-2018-15728 1Couchbase 1Couchbase Server Nov 21, 2024 Aug 24, 2018 N/A· v4 8.8 HIGH· v3 9.0 HIGH· v2 Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval'...Show more Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. Affects Version: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1. Fix Version: 6.0.0, 5.5.2Show less
CVE-2017-1753 1Ibm 6Rational Doors Next Generation Rational Engineering Lifecycle ManagerRational Quality Manager+3 more Nov 21, 2024 Aug 20, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 Multiple IBM Rational products are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hos...Show more Multiple IBM Rational products are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 135655.Show less
CVE-2015-5243 1Phpwhois Project 1Phpwhois Nov 21, 2024 Aug 20, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 phpWhois allows remote attackers to execute arbitrary code via a crafted whois record.
CVE-2018-3784 1Cryo Project 1Cryo Nov 21, 2024 Aug 17, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.
CVE-2018-8346 1Microsoft 2Windows 7 Windows Server 2008 Nov 21, 2024 Aug 15, 2018 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows Server 2008, Windo...Show more A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8345.Show less
CVE-2018-8345 1Microsoft 7Windows 10 Windows 7Windows 8.1+4 more Nov 21, 2024 Aug 15, 2018 N/A· v4 7.5 HIGH· v3 7.6 HIGH· v2 A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server...Show more A remote code execution vulnerability exists in Microsoft Windows that could allow remote code execution if a .LNK file is processed, aka "LNK Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-8346.Show less
CVE-2018-8344 1Microsoft 7Windows 10 Windows 7Windows 8.1+4 more Nov 21, 2024 Aug 15, 2018 N/A· v4 8.8 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Window...Show more A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka "Microsoft Graphics Remote Code Execution Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.Show less
CVE-2018-14716 1Nystudio107 1Seomatic Nov 21, 2024 Aug 6, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of...Show more A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code.Show less
CVE-2016-4397 1Hp 1Network Node Manager I Nov 21, 2024 Aug 6, 2018 N/A· v4 7.8 HIGH· v3 4.6 MEDIUM· v2 A local code execution security vulnerability was identified in HP Network Node Manager i (NNMi) v10.00, v10.10 and v10.20 Software.
CVE-2016-4391 1Hp 1Arcsight Winc Connector Nov 21, 2024 Aug 6, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution security vulnerability has been identified in all versions of the HP ArcSight WINC Connector prior to v7.3.0.
CVE-2018-14910 1Seacms 1Seacms Nov 21, 2024 Aug 3, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php....Show more SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF.Show less
CVE-2018-7748 1Servicenow 1Servicenow Nov 21, 2024 Aug 3, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 report_viewer.do in ServiceNow Release Jakarta Patch 8 and earlier allows remote attackers to execute arbitrary code via '${xyz}' Glide Scripting Injection in the sysparm_media parameter.
CVE-2018-14579 1Golemcms Project 1Golemcms Nov 21, 2024 Jul 24, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" for...Show more GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" form field, or obtain sensitive information via a direct request for install/install.sql.Show less
CVE-2018-1999023 1Wesnoth 1The Battle For Wesnoth Nov 21, 2024 Jul 23, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable...Show more The Battle for Wesnoth Project version 1.7.0 through 1.14.3 contains a Code Injection vulnerability in the Lua scripting engine that can result in code execution outside the sandbox. This attack appear to be exploitable via Loading specially-crafted saved games, networked games, replays, and player content.Show less
CVE-2018-1999022 2Civicrm Html Quickform Project 2Civicrm Html Quickform Nov 21, 2024 Jul 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_Quick...Show more PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's _prepareValue method. that can result in Possible information disclosure, possible impact on data integrity and execution of arbitrary code. This attack appear to be exploitable via A specially crafted query string could be utilised, e.g. http://www.example.com/admin/add_practice_type_id[1]=fubar%27])%20OR%20die(%27OOK!%27);%20//&mode=live. This vulnerability appears to have been fixed in 3.2.15.Show less

Previous 1...210211212...324 Next