Search Results (6974 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2017-9807 1 Openwebif Project 1 Openwebif 2025-04-20 N/A
An issue was discovered in the OpenWebif plugin through 1.2.4 for E2 open devices. The saveConfig function of "plugin/controllers/models/config.py" performs an eval() call on the contents of the "key" HTTP GET parameter. This allows an unauthenticated remote attacker to execute arbitrary Python code or OS commands via api/saveconfig.
CVE-2014-3582 1 Apache 1 Ambari 2025-04-20 N/A
In Ambari 1.2.0 through 2.2.2, it may be possible to execute arbitrary system commands on the Ambari Server host while generating SSL certificates for hosts in an Ambari cluster.
CVE-2017-1001004 1 Typed Function Project 1 Typed Function 2025-04-20 N/A
typed-function before 0.10.6 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVE-2017-10835 1 Nippon-antenna 2 Scr02hd, Scr02hd Firmware 2025-04-20 N/A
"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors.
CVE-2015-3640 1 Phpmybackuppro 1 Phpmybackuppro 2025-04-20 N/A
phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts.
CVE-2017-14077 1 Phpcaptcha 1 Securimage 2025-04-20 N/A
HTML Injection in Securimage 3.6.4 and earlier allows remote attackers to inject arbitrary HTML into an e-mail message body via the $_SERVER['HTTP_USER_AGENT'] parameter to example_form.ajax.php or example_form.php.
CVE-2017-14146 1 Helpdezk 1 Helpdezk 2025-04-20 N/A
HelpDEZk 1.1.1 allows remote authenticated users to execute arbitrary PHP code by uploading a .php attachment and then requesting it in the helpdezk\app\uploads\helpdezk\attachments\ directory.
CVE-2017-14198 1 Squiz 1 Matrix 2025-04-20 N/A
An issue was discovered in Squiz Matrix before 5.3.6.1 and 5.4.x before 5.4.1.3. Authenticated users with permissions to edit design assets can cause Remote Code Execution (RCE) via a maliciously crafted time_format tag.
CVE-2017-1001002 1 Mathjs 1 Math.js 2025-04-20 N/A
math.js before 3.17.0 had an arbitrary code execution in the JavaScript engine. Creating a typed function with JavaScript code in the name could result arbitrary execution.
CVE-2015-0249 1 Apache 1 Roller 2025-04-20 N/A
The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL).
CVE-2015-0855 1 Pitivi 1 Pitivi 2025-04-20 N/A
The _mediaLibraryPlayCb function in mainwindow.py in pitivi before 0.95 allows attackers to execute arbitrary code via shell metacharacters in a file path.
CVE-2014-3927 1 Mrlg4php Project 1 Mrlg4php 2025-04-20 N/A
mrlg-lib.php in mrlg4php before 1.0.8 allows remote attackers to execute arbitrary shell code.
CVE-2015-2252 1 Huawei 2 Oceanstor Uds, Oceanstor Uds Firmware 2025-04-20 N/A
Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to execute arbitrary code with root privileges via a crafted UDS patch with shell scripts.
CVE-2014-9463 2 Vbseo, Vbulletin 2 Vbseo, Vbulletin 2025-04-20 N/A
functions_vbseo_hook.php in the VBSEO module for vBulletin allows remote authenticated users to execute arbitrary code via the HTTP Referer header to visitormessage.php.
CVE-2014-4000 1 Cacti 1 Cacti 2025-04-20 N/A
Cacti before 1.0.0 allows remote authenticated users to conduct PHP object injection attacks and execute arbitrary PHP code via a crafted serialized object, related to calling unserialize(stripslashes()).
CVE-2015-6531 1 Paloaltonetworks 1 Pan-os 2025-04-20 N/A
Palo Alto Networks Panorama VM Appliance with PAN-OS before 6.0.1 might allow remote attackers to execute arbitrary Python code via a crafted firmware image file.
CVE-2015-6576 1 Atlassian 1 Bamboo 2025-04-20 N/A
Bamboo 2.2 before 5.8.5 and 5.9.x before 5.9.7 allows remote attackers with access to the Bamboo web interface to execute arbitrary Java code via an unspecified resource.
CVE-2015-8351 1 Gwolle Guestbook Project 1 Gwolle Guestbook 2025-04-20 N/A
PHP remote file inclusion vulnerability in the Gwolle Guestbook plugin before 1.5.4 for WordPress, when allow_url_include is enabled, allows remote authenticated users to execute arbitrary PHP code via a URL in the abspath parameter to frontend/captcha/ajaxresponse.php. NOTE: this can also be leveraged to include and execute arbitrary local files via directory traversal sequences regardless of whether allow_url_include is enabled.
CVE-2017-5543 1 Intelliants 1 Subrion 2025-04-20 N/A
includes/classes/ia.core.users.php in Subrion CMS 4.0.5 allows remote attackers to conduct PHP Object Injection attacks via crafted serialized data in a salt cookie in a login request.
CVE-2017-17649 1 Readymade Video Sharing Script Project 1 Readymade Video Sharing Script 2025-04-20 N/A
Readymade Video Sharing Script 3.2 has HTML Injection via the single-video-detail.php comment parameter.