Vulnerabilities (CVE)

Filtered by CWE-74
Total 961 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2017-9135 1 Mimosa 2 Backhaul Radios, Client Radios 2024-02-28 9.0 HIGH 8.8 HIGH
An issue was discovered on Mimosa Client Radios before 2.2.4 and Mimosa Backhaul Radios before 2.2.4. On the backend of the device's web interface, there are some diagnostic tests available that are not displayed on the webpage; these are only accessible by crafting a POST request with a program like cURL. There is one test accessible via cURL that does not properly sanitize user input, allowing an attacker to execute shell commands as the root user.
CVE-2016-1155 1 Google 1 Android 2024-02-28 7.5 HIGH 9.8 CRITICAL
HTTP header injection vulnerability in the URLConnection class in Android OS 2.2 through 6.0 allows remote attackers to execute arbitrary scripts or set arbitrary values in cookies.
CVE-2016-5013 1 Moodle 1 Moodle 2024-02-28 5.8 MEDIUM 5.4 MEDIUM
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
CVE-2016-6754 1 Google 1 Android 2024-02-28 6.8 MEDIUM 8.8 HIGH
A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website. This issue is rated as High due to the possibility of remote code execution in an unprivileged process. Android ID: A-31217937.
CVE-2017-7239 1 Ninka Project 1 Ninka 2024-02-28 7.5 HIGH 9.8 CRITICAL
Ninka before 1.3.2 might allow remote attackers to obtain sensitive information, manipulate license compliance scan results, or cause a denial of service (process hang) via a crafted filename.
CVE-2015-8258 1 Axis 1 Axis Communications Firmware 2024-02-28 7.8 HIGH 7.5 HIGH
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."
CVE-2016-5685 1 Dell 4 Idrac7, Idrac7 Firmware, Idrac8 and 1 more 2024-02-28 9.0 HIGH 8.8 HIGH
Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow authenticated users to gain Bash shell access through a string injection.
CVE-2017-7703 2 Debian, Wireshark 2 Debian Linux, Wireshark 2024-02-28 5.0 MEDIUM 7.5 HIGH
In Wireshark 2.2.0 to 2.2.5 and 2.0.0 to 2.0.11, the IMAP dissector could crash, triggered by packet injection or a malformed capture file. This was addressed in epan/dissectors/packet-imap.c by calculating a line's end correctly.
CVE-2015-3253 2 Apache, Oracle 6 Groovy, Health Sciences Clinical Development Center, Retail Order Broker Cloud Service and 3 more 2024-02-28 7.5 HIGH 9.8 CRITICAL
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
CVE-2015-7309 1 Boltcms 1 Bolt 2024-02-28 6.5 MEDIUM N/A
The theme editor in Bolt before 2.2.5 does not check the file extension when renaming files, which allows remote authenticated users to execute arbitrary code by renaming a crafted file and then directly accessing it.
CVE-2015-5841 1 Apple 3 Iphone Os, Mac Os X, Watchos 2024-02-28 5.0 MEDIUM N/A
The CFNetwork Proxies component in Apple iOS before 9 does not properly handle a Set-Cookie header within a response to an HTTP CONNECT request, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response.
CVE-2014-8910 1 Ibm 1 Db2 2024-02-28 4.0 MEDIUM N/A
IBM DB2 9.7 through FP10, 9.8 through FP5, 10.1 before FP5, and 10.5 through FP5 on Linux, UNIX, and Windows allows remote authenticated users to read arbitrary text files via a crafted XML/XSLT function in a SELECT statement.
CVE-2015-1762 1 Microsoft 1 Sql Server 2024-02-28 7.1 HIGH N/A
Microsoft SQL Server 2008 SP3 and SP4, 2008 R2 SP2 and SP3, 2012 SP1 and SP2, and 2014, when transactional replication is configured, does not prevent use of uninitialized memory in unspecified function calls, which allows remote authenticated users to execute arbitrary code by leveraging certain permissions and making a crafted query, as demonstrated by the VIEW SERVER STATE permission, aka "SQL Server Remote Code Execution Vulnerability."
CVE-2016-7125 1 Php 1 Php 2024-02-28 5.0 MEDIUM 7.5 HIGH
ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.
CVE-2016-2204 1 Symantec 1 Messaging Gateway 2024-02-28 6.5 MEDIUM 8.2 HIGH
The management console on Symantec Messaging Gateway (SMG) Appliance devices before 10.6.1 allows local users to obtain root-shell access via crafted terminal-window input.
CVE-2015-3013 1 Owncloud 1 Owncloud 2024-02-28 6.0 MEDIUM N/A
ownCloud Server before 5.0.19, 6.x before 6.0.7, and 7.x before 7.0.5 allows remote authenticated users to bypass the file blacklist and upload arbitrary files via a file path with UTF-8 encoding, as demonstrated by uploading a .htaccess file.
CVE-2015-8800 1 Broadcom 5 Symantec Critical System Protection, Symantec Data Center Security Server, Symantec Data Center Security Server And Agents and 2 more 2024-02-28 4.9 MEDIUM 7.3 HIGH
Symantec Embedded Security: Critical System Protection (SES:CSP) 1.0.x before 1.0 MP5, Embedded Security: Critical System Protection for Controllers and Devices (SES:CSP) 6.5.0 before MP1, Critical System Protection (SCSP) before 5.2.9 MP6, Data Center Security: Server Advanced Server (DCS:SA) 6.x before 6.5 MP1 and 6.6 before MP1, and Data Center Security: Server Advanced Server and Agents (DCS:SA) through 6.6 MP1 allow remote authenticated users to conduct argument-injection attacks by leveraging certain named-pipe access.
CVE-2015-2704 1 Realmd Project 1 Realmd 2024-02-28 5.0 MEDIUM N/A
realmd allows remote attackers to inject arbitrary configurations in to sssd.conf and smb.conf via a newline character in an LDAP response.
CVE-2015-0169 1 Ibm 1 Security Siteprotector System 2024-02-28 4.0 MEDIUM N/A
IBM Security SiteProtector System 3.0 before 3.0.0.7, 3.1 before 3.1.0.4, and 3.1.1 before 3.1.1.2 allows remote authenticated users to inject arguments via unspecified vectors.
CVE-2015-3200 3 Hp, Lighttpd, Oracle 3 Virtual Customer Access System, Lighttpd, Solaris 2024-02-28 5.0 MEDIUM 7.5 HIGH
mod_auth in lighttpd before 1.4.36 allows remote attackers to inject arbitrary log entries via a basic HTTP authentication string without a colon character, as demonstrated by a string containing a NULL and new line character.