Total
3865 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-16975 | 1 Elefantcms | 1 Elefant | 2024-08-05 | N/A |
| An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php content, because of insufficient input validation in apps/designer/handlers/csspreview.php. | ||||
| CVE-2018-16771 | 1 Hoosk | 1 Hoosk | 2024-08-05 | N/A |
| Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php. | ||||
| CVE-2018-16343 | 1 Seacms | 1 Seacms | 2024-08-05 | N/A |
| SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. | ||||
| CVE-2018-16168 | 1 Jpcert | 1 Logontracer | 2024-08-05 | N/A |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct Python code injection attacks via unspecified vectors. | ||||
| CVE-2018-13818 | 1 Symfony | 1 Twig | 2024-08-05 | N/A |
| Twig before 2.4.4 allows Server-Side Template Injection (SSTI) via the search search_key parameter. NOTE: the vendor points out that Twig itself is not a web application and states that it is the responsibility of web applications using Twig to properly wrap input to it | ||||
| CVE-2018-15886 | 1 Monstra | 1 Monstra | 2024-08-05 | N/A |
| Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring. | ||||
| CVE-2018-15728 | 1 Couchbase | 1 Couchbase Server | 2024-08-05 | N/A |
| Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. Affects Version: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1. Fix Version: 6.0.0, 5.5.2 | ||||
| CVE-2018-14910 | 1 Seacms | 1 Seacms | 2024-08-05 | N/A |
| SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. | ||||
| CVE-2018-14716 | 1 Nystudio107 | 1 Seomatic | 2024-08-05 | 7.5 High |
| A Server Side Template Injection (SSTI) was discovered in the SEOmatic plugin before 3.1.4 for Craft CMS, because requests that don't match any elements incorrectly generate the canonicalUrl, and can lead to execution of Twig code. | ||||
| CVE-2018-14667 | 1 Redhat | 5 Enterprise Linux, Jboss Enterprise Application Platform, Jboss Enterprise Brms Platform and 2 more | 2024-08-05 | 9.8 Critical |
| The RichFaces Framework 3.X through 3.3.4 is vulnerable to Expression Language (EL) injection via the UserResource resource. A remote, unauthenticated attacker could exploit this to execute arbitrary code using a chain of java serialized objects via org.ajax4jsf.resource.UserResource$UriData. | ||||
| CVE-2018-14630 | 1 Moodle | 1 Moodle | 2024-08-05 | N/A |
| moodle before versions 3.5.2, 3.4.5, 3.3.8, 3.1.14 is vulnerable to an XML import of ddwtos could lead to intentional remote code execution. When importing legacy 'drag and drop into text' (ddwtos) type quiz questions, it was possible to inject and execute PHP code from within the imported questions, either intentionally or by importing questions from an untrusted source. | ||||
| CVE-2018-14399 | 1 Phpcms Project | 1 Phpcms | 2024-08-05 | N/A |
| libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attackers to upload and execute arbitrary PHP code via a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the index.php?m=member&c=index&a=register URI. | ||||
| CVE-2018-14421 | 1 Seacms | 1 Seacms | 2024-08-05 | N/A |
| SeaCMS v6.61 allows Remote Code execution by placing PHP code in a movie picture address (aka v_pic) to /admin/admin_video.php (aka /backend/admin_video.php). The code is executed by visiting /details/index.php. This can also be exploited through CSRF. | ||||
| CVE-2018-13043 | 2 Canonical, Debian | 2 Ubuntu Linux, Devscripts | 2024-08-05 | N/A |
| scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows code execution through unsafe YAML loading because YAML::Syck is used without a configuration that prevents unintended blessing. | ||||
| CVE-2018-12994 | 1 Onefilecms | 1 Onefilecms | 2024-08-05 | N/A |
| onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the New File screen. | ||||
| CVE-2018-12995 | 1 Onefilecms | 1 Onefilecms | 2024-08-05 | N/A |
| onefilecms.php in OneFileCMS through 2012-04-14 might allow attackers to execute arbitrary PHP code via a .php filename on the Upload screen. | ||||
| CVE-2018-12533 | 1 Redhat | 3 Jboss Enterprise Application Platform, Jboss Operations Network, Richfaces | 2024-08-05 | N/A |
| JBoss RichFaces 3.1.0 through 3.3.4 allows unauthenticated remote attackers to inject expression language (EL) expressions and execute arbitrary Java code via a /DATA/ substring in a path with an org.richfaces.renderkit.html.Paint2DResource$ImageData object, aka RF-14310. | ||||
| CVE-2018-12531 | 1 Metinfo | 1 Metinfo | 2024-08-05 | N/A |
| An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271. | ||||
| CVE-2018-12532 | 1 Redhat | 1 Richfaces | 2024-08-05 | N/A |
| JBoss RichFaces 4.5.3 through 4.5.17 allows unauthenticated remote attackers to inject an arbitrary expression language (EL) variable mapper and execute arbitrary Java code via a MediaOutputResource's resource request, aka RF-14309. | ||||
| CVE-2018-11587 | 1 Centreon | 2 Centreon, Centreon Web | 2024-08-05 | N/A |
| There is Remote Code Execution in Centreon 3.4.6 including Centreon Web 2.8.23 via the RPN value in the Virtual Metric form in centreonGraph.class.php. | ||||