Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-1999019 1Chamilo 1Chamilo Lms Nov 21, 2024 Jul 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack...Show more Chamilo LMS version 11.x contains an Unserialization vulnerability in the "hash" GET parameter for the api endpoint located at /webservices/api/v2.php that can result in Unauthenticated remote code execution. This attack appear to be exploitable via a simple GET request to the api endpoint. This vulnerability appears to have been fixed in After commit 0de84700648f098c1fbf6b807dee28ec640efe62.Show less
CVE-2018-14421 1Seacms 1Seacms Nov 21, 2024 Jul 20, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This...Show more SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF.Show less
CVE-2018-7602 2Debian Drupal 2Debian Linux Drupal Nov 7, 2025 Jul 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being c...Show more A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being compromised. This vulnerability is related to Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002. Both SA-CORE-2018-002 and this vulnerability are being exploited in the wild.Show less
CVE-2014-2302 1Webedition 1Webedition Cms Nov 21, 2024 Jul 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.
CVE-2018-14399 1Phpcms Project 1Phpcms Nov 21, 2024 Jul 19, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attackers to upload and execute arbitrary PHP code via a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the ind...Show more libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attackers to upload and execute arbitrary PHP code via a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the index.php?m=member&c=index&a=register URI.Show less
CVE-2018-8284 1Microsoft 5.net Framework Project ServerSharepoint Enterprise Server+2 more Nov 21, 2024 Jul 11, 2018 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Micros...Show more A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.Show less
CVE-2018-2427 1Sap 2Businessobjects Business Intelligence Crystal Reports Nov 21, 2024 Jul 10, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. A...Show more SAP BusinessObjects Business Intelligence Suite, versions 4.10 and 4.20, and SAP Crystal Reports (version for Visual Studio .NET, Version 2010) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behaviour of the application.Show less
CVE-2018-13818 1Symfony 1Twig Nov 21, 2024 Jul 10, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web ap...Show more Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to itShow less
CVE-2018-3608 1Trendmicro 6Antivirus + Security Internet SecurityMaximum Security+3 more Nov 21, 2024 Jul 6, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable s...Show more A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected into other processes.Show less
CVE-2017-1329 1Ibm 2Rational Collaborative Lifecycle Management Rational Quality Manager Nov 21, 2024 Jul 6, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the secu...Show more IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 126231.Show less
CVE-2017-1248 1Ibm 2Rational Collaborative Lifecycle Management Rational Quality Manager Nov 21, 2024 Jul 6, 2018 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the secu...Show more IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 124628.Show less
CVE-2017-1242 1Ibm 2Rational Collaborative Lifecycle Management Rational Quality Manager Nov 21, 2024 Jul 6, 2018 N/A· v4 5.4 MEDIUM· v3 3.5 LOW· v2 IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the secu...Show more IBM Quality Manager (RQM) 5.0.x and 6.0 through 6.0.5 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 124524.Show less
CVE-2018-13043 2Canonical Debian 2Devscripts Ubuntu Linux Nov 21, 2024 Jul 1, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows code execution through unsafe YAML loading because YAML::Syck is used without a configuration that prevents unintended blessing.
CVE-2018-12995 1Onefilecms 1Onefilecms Nov 21, 2024 Jun 29, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the Upload screen.
CVE-2018-12994 1Onefilecms 1Onefilecms Nov 21, 2024 Jun 29, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the New File screen.
CVE-2017-7465 1Redhat 1Jboss Enterprise Application Platform Nov 21, 2024 Jun 27, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content...Show more It was found that the JAXP implementation used in JBoss EAP 7.0 for XSLT processing is vulnerable to code injection. An attacker could use this flaw to cause remote code execution if they are able to provide XSLT content for parsing. Doing a transform in JAXP requires the use of a 'javax.xml.transform.TransformerFactory'. If the FEATURE_SECURE_PROCESSING feature is set to 'true', it mitigates this vulnerability.Show less
CVE-2018-11587 1Centreon 2Centreon Centreon Web Nov 21, 2024 Jun 25, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php.
CVE-2018-12531 1Metinfo 1Metinfo Nov 21, 2024 Jun 18, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.
CVE-2017-3907 1Mcafee 1Mcafee Threat Intelligence Exchange Nov 21, 2024 Jun 13, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Code Injection vulnerability in the ePolicy Orchestrator (ePO) extension in McAfee Threat Intelligence Exchange (TIE) Server 2.1.0 and earlier allows remote attackers to execute arbitrary HTML code to be reflected in the...Show more Code Injection vulnerability in the ePolicy Orchestrator (ePO) extension in McAfee Threat Intelligence Exchange (TIE) Server 2.1.0 and earlier allows remote attackers to execute arbitrary HTML code to be reflected in the response web page via unspecified vector.Show less
CVE-2018-5158 4Canonical DebianMozilla+1 more 9Debian Linux Enterprise Linux DesktopEnterprise Linux Server+6 more Nov 25, 2025 Jun 11, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF view...Show more The PDF viewer does not sufficiently sanitize PostScript calculator functions, allowing malicious JavaScript to be injected through a crafted PDF file. This JavaScript can then be run with the permissions of the PDF viewer by its worker. This vulnerability affects Firefox ESR < 52.8 and Firefox < 60.Show less

Previous 1...211212213...324 Next