Total
3677 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-14827 | 1 Moodle | 1 Moodle | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A vulnerability was found in Moodle where javaScript injection was possible in some Mustache templates via recursive rendering from contexts. Mustache helper tags that were included in template contexts were not being escaped before that context was injected into another Mustache helper, which could result in script injection in some templates. This affects versions 3.7 to 3.7.1, 3.6 to 3.6.5, 3.5 to 3.5.7 and earlier unsupported versions. | |||||
| CVE-2019-14746 | 1 Kuaifan | 1 Kuaifancms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| A issue was discovered in KuaiFanCMS 5.0. It allows eval injection by placing PHP code in the install.php db_name parameter and then making a config.php request. | |||||
| CVE-2019-14282 | 1 Simple Captcha2 Project | 1 Simple Captcha2 | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | |||||
| CVE-2019-14281 | 1 Datagrid Project | 1 Datagrid | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. | |||||
| CVE-2019-13956 | 1 Codersclub | 1 Discuz\!ml | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| Discuz!ML 3.2 through 3.4 allows remote attackers to execute arbitrary PHP code via a modified language cookie, as demonstrated by changing 4gH4_0df5_language=en to 4gH4_0df5_language=en'.phpinfo().'; (if the random prefix 4gH4_0df5_ were used). | |||||
| CVE-2019-13714 | 2 Google, Opensuse | 2 Chrome, Backports Sle | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Insufficient validation of untrusted input in Color Enhancer extension in Google Chrome prior to 78.0.3904.70 allowed a remote attacker to inject CSS into an HTML page via a crafted URL. | |||||
| CVE-2019-13558 | 1 Advantech | 1 Webaccess | 2024-11-21 | 9.0 HIGH | 9.8 CRITICAL |
| In WebAccess versions 8.4.1 and prior, an exploit executed over the network may cause improper control of generation of code, which may allow remote code execution, data exfiltration, or cause a system crash. | |||||
| CVE-2019-13372 | 1 Dlink | 1 Central Wifimanager | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| /web/Lib/Action/IndexAction.class.php in D-Link Central WiFi Manager CWM(100) before v1.03R0100_BETA6 allows remote attackers to execute arbitrary PHP code via a cookie because a cookie's username field allows eval injection, and an empty password bypasses authentication. | |||||
| CVE-2019-13354 | 1 Strong Password Project | 1 Strong Password | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
| The strong_password gem 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 0.0.6. | |||||
| CVE-2019-12844 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A possible stored JavaScript injection was detected on one of the JetBrains TeamCity pages. The issue was fixed in TeamCity 2018.2.3. | |||||
| CVE-2019-12843 | 1 Jetbrains | 1 Teamcity | 2024-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| A possible stored JavaScript injection requiring a deliberate server administrator action was detected. The issue was fixed in JetBrains TeamCity 2018.2.3. | |||||
| CVE-2019-12761 | 1 Python | 1 Pyxdg | 2024-11-21 | 5.1 MEDIUM | 7.5 HIGH |
| A code injection issue was discovered in PyXDG before 0.26 via crafted Python code in a Category element of a Menu XML document in a .menu file. XDG_CONFIG_DIRS must be set up to trigger xdg.Menu.parse parsing within the directory containing this file. This is due to a lack of sanitization in xdg/Menu.py before an eval call. | |||||
| CVE-2019-11642 | 1 Oneshield | 1 Oneshield Policy | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
| A log poisoning vulnerability has been discovered in the OneShield Policy (Dragon Core) framework before 5.1.10. Authenticated remote adversaries can poison log files by entering malicious payloads in either headers or form elements. These payloads are then executed via a client side debugging console. This is predicated on the debugging console and Java Bean being made available to the deployed application. | |||||
| CVE-2019-11594 | 1 Getadblock | 1 Adblock | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In AdBlock before 3.45.0, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect. | |||||
| CVE-2019-11593 | 1 Adblockplus | 1 Adblock Plus | 2024-11-21 | 6.8 MEDIUM | 8.1 HIGH |
| In Adblock Plus before 3.5.2, the $rewrite filter option allows filter-list maintainers to run arbitrary code in a client-side session when a web service loads a script for execution using XMLHttpRequest or Fetch, and the script origin has an open redirect. | |||||
| CVE-2019-11552 | 1 Code42 | 2 Code42 For Enterprise, Crashplan For Small Business | 2024-11-21 | 4.4 MEDIUM | 7.0 HIGH |
| Code42 Enterprise and Crashplan for Small Business Client version 6.7 before 6.7.5, 6.8 before 6.8.8, and 6.9 before 6.9.4 allows eval injection. A proxy auto-configuration file, crafted by a lesser privileged user, may be used to execute arbitrary code at a higher privilege as the service user. | |||||
| CVE-2019-11376 | 1 Brassica | 1 Soy Cms | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| SOY CMS v3.0.2 allows remote attackers to execute arbitrary PHP code via a <?php substring in the second text box. NOTE: the vendor indicates that there was an assumption that the content is "made editable on its own. | |||||
| CVE-2019-11201 | 1 Dolibarr | 1 Dolibarr Erp\/crm | 2024-11-21 | 8.5 HIGH | 8.0 HIGH |
| Dolibarr ERP/CRM 9.0.1 provides a module named website that provides for creation of public websites with a WYSIWYG editor. It was identified that the editor also allowed inclusion of dynamic code, which can lead to code execution on the host machine. An attacker has to check a setting on the same page, which specifies the inclusion of dynamic content. Thus, a lower privileged user of the application can execute code under the context and permissions of the underlying web server. | |||||
| CVE-2019-10863 | 1 Combodo | 1 Teemip | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
| A command injection vulnerability exists in TeemIp versions before 2.4.0. The new_config parameter of exec.php allows one to create a new PHP file with the exception of config information. The malicious PHP code sent is executed instantaneously and is not saved on the server. | |||||
| CVE-2019-10842 | 1 Getbootstrap | 1 Bootstrap-sass | 2024-11-21 | 10.0 HIGH | 9.8 CRITICAL |
| Arbitrary code execution (via backdoor code) was discovered in bootstrap-sass 3.2.0.3, when downloaded from rubygems.org. An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute arbitrary code on the target system. Note that there are three underscore characters in the cookie name. This is unrelated to the __cfduid cookie that is legitimately used by Cloudflare. | |||||