Vulnerabilities (CVE)

Filtered by CWE-74
Total 961 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-4028 2 Mcafee, Microsoft 7 Anti-virus Plus, Endpoint Security, Host Intrusion Prevention and 4 more 2024-02-28 2.1 LOW 4.4 MEDIUM
Maliciously misconfigured registry vulnerability in all Microsoft Windows products in McAfee consumer and corporate products allows an administrator to inject arbitrary code into a debugged McAfee process via manipulation of registry parameters.
CVE-2017-0372 2 Debian, Mediawiki 2 Debian Linux, Mediawiki 2024-02-28 7.5 HIGH 9.8 CRITICAL
Parameters injection in the SyntaxHighlight extension of Mediawiki before 1.23.16, 1.27.3 and 1.28.2 might result in multiple vulnerabilities.
CVE-2017-14094 1 Trendmicro 1 Smart Protection Server 2024-02-28 7.5 HIGH 9.8 CRITICAL
A vulnerability in Trend Micro Smart Protection Server (Standalone) versions 3.2 and below could allow an attacker to perform remote command execution via a cron job injection on a vulnerable system.
CVE-2017-5799 1 Hp 1 Opencall Media Platform 2024-02-28 6.5 MEDIUM 8.8 HIGH
A Remote Code Execution vulnerability in HPE OpenCall Media Platform (OCMP) was found. The vulnerability impacts OCMP versions prior to 3.4.2 RP201 (for OCMP 3.x), all versions prior to 4.4.7 RP702 (for OCMP 4.x).
CVE-2016-10498 1 Qualcomm 60 Mdm9206, Mdm9206 Firmware, Mdm9607 and 57 more 2024-02-28 10.0 HIGH 9.8 CRITICAL
In Android before 2018-04-05 or earlier security patch level on Qualcomm Snapdragon Mobile MDM9635M, MDM9645, MDM9650, MDM9655, SD 210/SD 212/SD 205, SD 400, SD 410/12, SD 425, SD 427, SD 430, SD 435, SD 450, SD 615/16/SD 415, SD 617, SD 625, SD 650/52, SD 810, SDM630, SDM636, SDM660, and Snapdragon_High_Med_2016, stopping of the DTR prematurely causes micro kernel to be stuck. This can be triggered with a timing change injectable in RACH procedure.
CVE-2018-6519 2 Debian, Simplesamlphp 2 Debian Linux, Saml2 2024-02-28 5.0 MEDIUM 7.5 HIGH
The SAML2 library before 1.10.4, 2.x before 2.3.5, and 3.x before 3.1.1 in SimpleSAMLphp has a Regular Expression Denial of Service vulnerability for fraction-of-seconds data in a timestamp.
CVE-2018-0313 1 Cisco 72 Nexus 172tq-xl, Nexus 2148t, Nexus 2224tp Ge and 69 more 2024-02-28 9.0 HIGH 8.8 HIGH
A vulnerability in the NX-API feature of Cisco NX-OS Software could allow an authenticated, remote attacker to send a malicious packet to the management interface on an affected system and execute a command-injection exploit. The vulnerability is due to incorrect input validation of user-supplied data to the NX-API subsystem. An attacker could exploit this vulnerability by sending a malicious HTTP or HTTPS packet to the management interface of an affected system that has the NX-API feature enabled. A successful exploit could allow the attacker to execute arbitrary commands with root privileges. Note: NX-API is disabled by default. This vulnerability affects MDS 9000 Series Multilayer Switches, Nexus 2000 Series Fabric Extenders, Nexus 3000 Series Switches, Nexus 3500 Platform Switches, Nexus 5500 Platform Switches, Nexus 5600 Platform Switches, Nexus 6000 Series Switches, Nexus 7000 Series Switches, Nexus 7700 Series Switches, Nexus 9000 Series Switches in standalone NX-OS mode, Nexus 9500 R-Series Line Cards and Fabric Modules. Cisco Bug IDs: CSCvd47415, CSCve03216, CSCve03224, CSCve03234.
CVE-2017-10963 1 Samsung 2 Knox Enterprise Mobility Management, Knox Identity Access Management 2024-02-28 4.3 MEDIUM 5.9 MEDIUM
In Knox SDS IAM (Identity Access Management) and EMM (Enterprise Mobility Management) 16.11 on Samsung mobile devices, a man-in-the-middle attacker can install any application into the Knox container (without the user's knowledge) by inspecting network traffic from a Samsung server and injecting content at a certain point in the update sequence. This installed application can further leak information stored inside the Knox container to the outside world.
CVE-2014-2294 1 Openwebanalytics 1 Open Web Analytics 2024-02-28 7.5 HIGH 9.8 CRITICAL
Open Web Analytics (OWA) before 1.5.7 allows remote attackers to conduct PHP object injection attacks via a crafted serialized object in the owa_event parameter to queue.php.
CVE-2017-7848 3 Debian, Mozilla, Redhat 8 Debian Linux, Thunderbird, Enterprise Linux and 5 more 2024-02-28 5.0 MEDIUM 5.3 MEDIUM
RSS fields can inject new lines into the created email structure, modifying the message body. This vulnerability affects Thunderbird < 52.5.2.
CVE-2018-6220 1 Trendmicro 1 Email Encryption Gateway 2024-02-28 7.5 HIGH 9.8 CRITICAL
An arbitrary file write vulnerability in Trend Micro Email Encryption Gateway 5.5 could allow an attacker to inject arbitrary data, which may lead to gaining code execution on vulnerable systems.
CVE-2018-4995 3 Adobe, Apple, Microsoft 4 Acrobat Dc, Acrobat Reader Dc, Mac Os X and 1 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an XFA '\n' POST injection vulnerability. Successful exploitation could lead to a security bypass.
CVE-2017-18049 1 Silverstripe 1 Silverstripe 2024-02-28 4.3 MEDIUM 5.5 MEDIUM
In the CSV export feature of SilverStripe before 3.5.6, 3.6.x before 3.6.3, and 4.x before 4.0.1, it's possible for the output to contain macros and scripts, which may be executed if imported without sanitization into common software (including Microsoft Excel). For example, the CSV data may contain untrusted user input from the "First Name" field of a user's /myprofile page.
CVE-2018-1319 1 Apache 1 Allura 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
In Apache Allura prior to 1.8.1, attackers may craft URLs that cause HTTP response splitting. If a victim goes to a maliciously crafted URL, unwanted results may occur including XSS or service denial for the victim's browsing session.
CVE-2015-1975 1 Ibm 1 Tivoli Directory Server 2024-02-28 4.6 MEDIUM 7.8 HIGH
The web administration tool in IBM Tivoli Security Directory Server 6.0 before iFix 75, 6.1 before iFix 68, 6.2 before iFix 44, and 6.3 before iFix 37 and IBM Security Directory Server 6.3.1 before iFix 11 and 6.4 before iFix 2 allows local users to gain privileges via vectors related to argument injection. IBM X-Force ID: 103694.
CVE-2018-1549 1 Ibm 1 Rational Quality Manager 2024-02-28 4.9 MEDIUM 5.4 MEDIUM
IBM Rational Quality Manager 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. IBM X-Force ID: 142658.
CVE-2018-4106 1 Apple 1 Mac Os X 2024-02-28 6.8 MEDIUM 8.8 HIGH
An issue was discovered in certain Apple products. macOS before 10.13.4 is affected. The issue involves the Bracketed Paste Mode of the "Terminal" component. It allows user-assisted attackers to inject arbitrary commands within pasted content.
CVE-2018-1000193 2 Jenkins, Oracle 2 Jenkins, Communications Cloud Native Core Automated Test Suite 2024-02-28 4.0 MEDIUM 4.3 MEDIUM
A improper neutralization of control sequences vulnerability exists in Jenkins 2.120 and older, LTS 2.107.2 and older in HudsonPrivateSecurityRealm.java that allows users to sign up using user names containing control characters that can then appear to have the same name as other users, and cannot be deleted via the UI.
CVE-2018-4235 1 Apple 4 Apple Tv, Iphone Os, Mac Os X and 1 more 2024-02-28 2.1 LOW 5.5 MEDIUM
An issue was discovered in certain Apple products. iOS before 11.4 is affected. macOS before 10.13.5 is affected. tvOS before 11.4 is affected. watchOS before 4.3.1 is affected. The issue involves the "Messages" component. It allows local users to perform impersonation attacks via an unspecified injection.
CVE-2018-6603 1 Promise 1 Webpam Proe 2024-02-28 4.3 MEDIUM 6.1 MEDIUM
Promise Technology WebPam Pro-E devices allow remote attackers to conduct XSS, HTTP Response Splitting, and CRLF Injection attacks via JavaScript code in a PHPSESSID cookie.