| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| generate_doygen.pl in ace before 6.2.7+dfsg-2 creates predictable file names in the /tmp directory which allows attackers to gain elevated privileges. |
| Buffer overflow in CHICKEN 4.9.0 and 4.9.0.1 may allow remote attackers to execute arbitrary code via the 'select' function. |
| Grand MA 300 allows a brute-force attack on the PIN. |
| Buffer overflow in Senkas Kolibri 2.0 allows remote attackers to execute arbitrary code via a long URI in a POST request. |
| Status2k does not remove the install directory allowing credential reset. |
| A vulnerability exits in Status2K 2.5 Server Monitoring Software via the multies parameter to includes/functions.php, which could let a malicious user execute arbitrary PHP code. |
| A vulnerability exists in Sphider Search Engine prior to 1.3.6 due to exec calls in admin/spiderfuncs.php, which could let a remote malicious user execute arbitrary code. |
| sphider prior to 1.3.6, sphider-pro prior to 3.2, and sphider-plus prior to 3.2 allow authentication bypass |
| SQL injection vulnerability in the checkPassword function in Symmetricom s350i 2.70.15 allows remote attackers to execute arbitrary SQL commands via vectors involving a username. |
| Cross-site scripting (XSS) vulnerability in Eucalyptus Management Console (EMC) 4.0.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. |
| Directory traversal vulnerability in the agentLogUploader servlet in ZOHO ManageEngine Desktop Central (DC) and Desktop Central Managed Service Providers (MSP) edition before 9 build 90055 allows remote attackers to write to and execute arbitrary files as SYSTEM via a .. (dot dot) in the filename parameter. |
| Déjà Vu Crescendo Sales CRM has remote SQL Injection |
| LPAR2RRD ≤ 4.53 and ≤ 3.5 has arbitrary command injection on the application server. |
| LPAR2RRD in 3.5 and earlier allows remote attackers to execute arbitrary commands due to insufficient input sanitization of the web GUI parameters. |
| Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command. |
| Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. |
| The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. |
| The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. |
| It was found that the jclouds scriptbuilder Statements class wrote a temporary file to a predictable location. An attacker could use this flaw to access sensitive data, cause a denial of service, or perform other attacks. |
| The CGIHTTPServer module in Python 2.7.5 and 3.3.4 does not properly handle URLs in which URL encoding is used for path separators, which allows remote attackers to read script source code or conduct directory traversal attacks and execute unintended code via a crafted character sequence, as demonstrated by a %2f separator. |