Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CVEs (6,471)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2018-9174 1Dedecms 1Dedecms Nov 21, 2024 Apr 2, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 sys_verifies.php in DedeCMS 5.7 allows remote attackers to execute arbitrary PHP code via the refiles array parameter, because the contents of modifytmp.inc are under an attacker's control.
CVE-2018-8823 2Prestashop Responsive Mega Menu Pro Project 2Prestashop Responsive Mega Menu Pro Nov 21, 2024 Mar 28, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code p...Show more modules/bamegamenu/ajax_phpcode.php in the Responsive Mega Menu (Horizontal+Vertical+Dropdown) Pro module 1.0.32 for PrestaShop 1.5.5.0 through 1.7.2.5 allows remote attackers to execute arbitrary PHP code via the code parameter.Show less
CVE-2014-2293 1Zikula 1Zikula Application Framework Nov 21, 2024 Mar 26, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentic...Show more Zikula Application Framework before 1.3.7 build 11 allows remote attackers to conduct PHP object injection attacks and delete arbitrary files or execute arbitrary PHP code via crafted serialized data in the (1) authentication_method_ser or (2) authentication_info_ser parameter to index.php, or (3) zikulaMobileTheme parameter to index.php.Show less
CVE-2018-8966 1Zzcms 1Zzcms Nov 21, 2024 Mar 24, 2018 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 An issue was discovered in zzcms 8.2. It allows PHP code injection via the siteurl parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.
CVE-2018-1207 1Dell 2Emc Idrac7 Emc Idrac8 Nov 21, 2024 Mar 23, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to exec...Show more Dell EMC iDRAC7/iDRAC8, versions prior to 2.52.52.52, contain CGI injection vulnerability which could be used to execute remote code. A remote unauthenticated attacker may potentially be able to use CGI variables to execute remote code.Show less
CVE-2017-1789 1Ibm 1Tivoli Monitoring Nov 21, 2024 Mar 22, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 IBM Tivoli Monitoring V6 6.2.3 and 6.3.0 could allow an unauthenticated user to remotely execute code through unspecified methods. IBM X-Force ID: 137034.
CVE-2018-8074 1Yiiframework 1Yii Nov 21, 2024 Mar 21, 2018 N/A· v4 8.1 HIGH· v3 6.8 MEDIUM· v2 Yii 2.x before 2.0.15 allows remote attackers to inject unintended search conditions via a variant of the CVE-2018-7269 attack in conjunction with the Elasticsearch extension.
CVE-2018-8073 1Yiiframework 1Yii Nov 21, 2024 Mar 21, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Yii 2.x before 2.0.15 allows remote attackers to execute arbitrary LUA code via a variant of the CVE-2018-7269 attack in conjunction with the Redis extension.
CVE-2011-3178 1Opensuse 1Open Build Service Nov 21, 2024 Mar 20, 2018 N/A· v4 8.8 HIGH· v3 6.5 MEDIUM· v2 In the web ui of the openbuildservice before 2.3.0 a code injection of the project rebuildtimes statistics could be used by authorized attackers to execute shellcode.
CVE-2018-8756 1Yzmcms 1Yzmcms Nov 21, 2024 Mar 18, 2018 N/A· v4 7.2 HIGH· v3 6.5 MEDIUM· v2 Eval injection in yzmphp/core/function/global.func.php in YzmCMS v3.7.1 allows remote attackers to achieve arbitrary code execution via PHP code in the POST data of an index.php?m=member&c=member_content&a=init request.
CVE-2018-7756 1Dewesoft 1Dewesoft Nov 21, 2024 Mar 15, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as...Show more RunExeFile.exe in the installer for DEWESoft X3 SP1 (64-bit) devices does not require authentication for sessions on TCP port 1999, which allows remote attackers to execute arbitrary code or access internal commands, as demonstrated by a RUN command that launches a .EXE file located at an arbitrary external URL, or a "SETFIREWALL Off" command.Show less
CVE-2018-5782 1Mitel 2Connect Onsite St14.2 Nov 21, 2024 Mar 14, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specia...Show more A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vsethost.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.Show less
CVE-2018-5781 1Mitel 2Connect Onsite St14.2 Nov 21, 2024 Mar 14, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specia...Show more A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vendrecording.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.Show less
CVE-2018-5780 1Mitel 2Connect Onsite St14.2 Nov 21, 2024 Mar 14, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specia...Show more A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to inject PHP code using specially crafted requests to the vnewmeeting.php page. Successful exploit could allow an attacker to execute arbitrary PHP code within the context of the application.Show less
CVE-2018-5779 1Mitel 2Connect Onsite St14.2 Nov 21, 2024 Mar 14, 2018 N/A· v4 9.8 CRITICAL· v3 10.0 HIGH· v2 A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into...Show more A vulnerability in the conferencing component of Mitel Connect ONSITE, versions R1711-PREM and earlier, and Mitel ST 14.2, release GA28 and earlier, could allow an unauthenticated attacker to copy a malicious script into a newly generated PHP file and then execute the generated file using specially crafted requests. Successful exploit could allow an attacker to execute arbitrary code within the context of the application.Show less
CVE-2018-8097 1Python Eve 1Eve Nov 21, 2024 Mar 14, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.
CVE-2018-1000070 1Bitmessage 1Pybitmessage Nov 21, 2024 Mar 13, 2018 N/A· v4 8.8 HIGH· v3 6.8 MEDIUM· v2 Bitmessage PyBitmessage version v0.6.2 (and introduced in or after commit 8ce72d8d2d25973b7064b1cf76a6b0b3d62f0ba0) contains a Eval injection vulnerability in main program, file src/messagetypes/__init__.py function cons...Show more Bitmessage PyBitmessage version v0.6.2 (and introduced in or after commit 8ce72d8d2d25973b7064b1cf76a6b0b3d62f0ba0) contains a Eval injection vulnerability in main program, file src/messagetypes/__init__.py function constructObject that can result in Code Execution. This attack appears to be exploitable via remote attacker using a malformed message which must be processed by the victim - e.g. arrive from any sender on bitmessage network. This vulnerability appears to have been fixed in v0.6.3.Show less
CVE-2018-7466 1Testlink 1Testlink Nov 21, 2024 Feb 25, 2018 N/A· v4 7.5 HIGH· v3 6.0 MEDIUM· v2 install/installNewDB.php in TestLink through 1.9.16 allows remote attackers to conduct injection attacks by leveraging control over DB LOGIN NAMES data during installation to provide a long, crafted value.
CVE-2018-6488 1Microfocus 1Ucmdb Configuration Manager Nov 21, 2024 Feb 22, 2018 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 Arbitrary Code Execution vulnerability in Micro Focus Universal CMDB, version 4.10, 4.11, 4.12. This vulnerability could be remotely exploited to allow Arbitrary Code Execution.
CVE-2018-7271 1Metinfo 1Metinfo Nov 21, 2024 Feb 21, 2018 N/A· v4 8.1 HIGH· v3 9.3 HIGH· v2 An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation proce...Show more An issue was discovered in MetInfo 6.0.0. In install/install.php in the installation process, the config/config_db.php configuration file filtering is not rigorous: one can insert malicious code in the installation process to execute arbitrary commands or obtain a web shell.Show less

Previous 1...214215216...324 Next