Show CWE-94: Improper Control of Generation of Code ('Code Injection')

	Topic	Date	Author
High	Eramba 3.19.1 Remote Command Execution	01.08.2023	Sergey Makarov
High	WordPress Ninja Forms Code Injection	20.06.2022	Ramuel Gall
Med.	SAP Application Server ABAP / ABAP Platform Code Injection / SQL Injection / Missing Authorization	22.05.2022	Fabian Hagg
High	iTop < 2.7.6 - (Authenticated) Remote command execution	22.05.2022	Alexandre Zanni
Low	FLEX 1085 Web 1.6.0 - HTML Injection	10.03.2022	Mr Empy
Med.	SAP Netweaver IUUC_RECON_RC_COUNT_TABLE_BIG ABAP Code Injection	16.12.2021	Raschin Tavakoli
High	SAP Netweaver IUUC_GENERATE_ACPLAN_DELIMITER ABAP Code Injection	16.12.2021	Raschin Tavakoli
High	Dolibarr ERP / CRM 13.0.2 Remote Code Execution	10.11.2021	Nick Decker
High	SAP XMII Remote Code Execution	15.06.2021	Nicolas Raus
High	IPS Community Suite 4.5.4.2 PHP Code Injection	31.05.2021	EgiX
High	WP Super Cache WordPress Plugin <= 1.7.1 - Authenticated RCE / XSS -> RCE	19.03.2021	m0ze
Med.	ExpressionEngine 6.0.2 PHP Code Injection	17.03.2021	EgiX
Med.	OpenMediaVault rpc.php Authenticated PHP Code Injection	25.11.2020	Anastasios Stasinopoul...
High	Netsweeper WebAdmin unixlogin.php Python Code Injection	13.05.2020	wvu
Med.	Total.js CMS 12 Widget JavaScript Code Injection (Metasploit)	23.10.2019	sinn3r
Med.	Total.js CMS 12 Widget JavaScript Code Injection	22.10.2019	sinn3r
High	pfSense 2.3.4 / 2.4.4-p3 Remote Code Injection	25.09.2019	Nassim Asrir
High	Totaljs CMS 12.0 Widget Creation Code Injection	05.09.2019	Riccardo Krauter
Med.	Leica Geosystems GR10/GR25/GR30/GR50 GNSS 4.30.063 JS/HTML Code Injection	10.01.2019	Gjoko 'LiquidWorm' Krs...
Med.	Wifi-soft Unibox 2.x Remote Command / Code Injection	10.01.2019	Sahil Dhar
High	National Instruments Linux Driver Remote Code Injection	21.07.2018	Enrico Weigelt
Med.	Dolibarr ERP CRM 7.0.3 Code Injection	02.07.2018	om3rcitak
High	phpMyFAQ 2.9.9 Code Injection	18.11.2017	tomplixsee
Low	jRank - Topsites Script 1.0 - Cross-Site Request Forgery	11.09.2017	Ihsan Sencan
Med.	VMware Horizons macOS Client Code Injection	12.07.2017	Florian Bogner
Med.	BanManager WebUI 1.5.8 Code Injection / Cross Site Scripting	11.05.2017	HaHwul
High	XenForo 1.5.x Remote Code Execution	16.12.2016	Vishal Mishra
Med.	Trend Micro Smart Protection Server Exec Remote Code Injection	15.11.2016	Keiser
High	SPIP 3.1.2 Template Compiler / Composer PHP Code Execution	20.10.2016	Nicolas CHATELAIN
High	Lepton CMS 2.2.0 / 2.2.1 PHP Code Injection	17.08.2016	hyp3rlinx
High	IPS Community Suite 4.1.12.3 PHP Code Injection	09.07.2016	Egidio Romano
High	SugarCRM <= 6.5.18 Two PHP Code Injection Vulnerabilities	24.06.2016	Egidio Romano
High	Exponent 2.3.7 PHP Code Execution	12.02.2016	High-Tech Bridge Secur...
High	phpMyFAQ 2.7.9 PHP Code Injection	23.12.2015	indoushkan
Low	WordPress woocommerce plugin v2.4.12 PHP Code Injection Vulnerability	21.12.2015	indoushka
High	DMarket 1.0 Remote PHP Code Injection	08.12.2015	indoushka
High	Advantech Switch Bash Environment Variable Code Injection	02.12.2015	hdm
High	ATutor 2.2 PHP Code Injection	05.11.2015	Egidio Romano.
High	WordPress eShop 6.3.11 Code Execution	06.05.2015	High-Tech Bridge Secur...
Med.	Webshop hun v1.062S /index.php Multiple Parameters SQL	05.03.2015	Wang Jing
Low	RelateIQ Mail Encoding Script Code Injection	17.12.2014	Vulnerability Lab
High	WordPress CM Download Manager 2.0.0 Code Injection	21.11.2014	Phi Le Ngoc
High	MantisBT XmlImportExport Plugin PHP Code Injection	18.11.2014	Juan Escobar
High	CUPS Filter Bash Environment Variable Code Injection	29.10.2014	Brendan Coles
High	SAP HANA Web-based Development Workbench Code Injection	09.10.2014	Will Vandevanter
High	Pure-FTPd External Authentication Bash Environment Variable Code Injection	02.10.2014	Spencer
High	DHCP Client Bash Environment Variable Code Injection	29.09.2014	Ramon
High	Apache mod_cgi Bash Environment Variable Code Injection	28.09.2014	Juan vazquez
High	CGI Remote Code Injection by Bash Proof Of Concept	25.09.2014	Prakhar Prasad && Subh...
High	PayPal SecurityKey Card Serialnumber Module Code Injection	19.06.2014	Vulnerability Lab
High	EGroupware 1.8.006 Cross Site Request Forgery / Code Injection	16.05.2014	High-Tech Bridge Secur...
High	Eventum 2.3.4 Incorrect Permissions / Code Injection	29.01.2014	High-Tech Bridge Secur...
High	bloofoxCMS 0.5.0 CSRF / PHP Code Injection	18.01.2014	AtT4CKxT3rR0r1ST
High	openSIS 5.2 PHP Code Injection	08.12.2013	Egidio Romano
High	Eaton Network Shutdown Module 3.21 PHP Code Injection	07.12.2013	Filip Waeytens
High	ZoneDirector Code Injection	13.11.2013	Erik van Eijk
High	GLPI 0.84.1 Access Control & Code Injection	03.10.2013	High-Tech Bridge Secur...
High	vtiger CRM 5.4.0 PHP Code Injection	02.08.2013	Egidio Romano
High	Foreman (Red Hat OpenStack/Satellite) Code Injection	23.07.2013	Ramon de C Valle
High	230 CMS 1.1.2012 PHP Code Injection	13.06.2013	CWH Underground
High	mkCMS 3.6 PHP Code Injection	12.06.2013	CWH Underground
High	Lokboard 1.1 PHP Code Injection	11.06.2013	CWH Underground
High	MaxForum 2.0.0 Multiple Vulnerabilities	10.06.2013	CWH Underground
High	Napata CMS 1.5.2013 PHP Code Injection	06.06.2013	CWH Underground
High	CMS Gratis Indonesia PHP Code Injection	05.06.2013	CWH Underground
Low	PHP4DVD 2.0 Code Injection	03.06.2013	CWH Underground
High	PHPvocabtionary Code Injection	08.05.2013	Slotleet
High	phpMyAdmin 3.5.8 Authenticated Remote Code Execution Exploit	30.04.2013	Ben Campbell
High	phpMyAdmin 3.5.8 LFI & Array Overwrite & Remote code execution	25.04.2013	waraxe
High	SAP NetWeaver Remote ABAP Code Injection	25.04.2013	ESNC
High	FUDforum 3.0.4 Code Injection	04.04.2013	High-Tech Bridge Secur...
High	SQLiteManager 1.2.4 PHP Code Injection	26.01.2013	RealGame
High	PHP Lite Admin 1.9.3 Code Injection	11.01.2013	L@usch
High	Elastix 2.3 PHP Code Injection	05.01.2013	Faris AKA i-Hmx
Low	Apple WGT Dictionnaire 1.3 Script Code Injection	28.11.2012	Vulnerability Lab
High	Wordpress Plugin BackWPup 1.6.1 Remote auth bypass	16.10.2012	Sense of Security
High	PhpTax pfilez Parameter Exec Remote Code Injection	10.10.2012	sinn3r
High	Am4ss 1.2 PHP Code Injection	04.08.2012	Faris , aka i-Hmx
High	MyWebFTP 5.3.3 & OurWebFTP 5.3.4 Remote PHP Code Execution Vulnerability	24.07.2012	condis
High	Pligg 0.9 BETA / 1.1.1 Multiple Vuln / Remote Code Execution	22.07.2012	BlackHawk
High	Log1 CMS writeInfo() PHP Code Injection	05.06.2012	sinn3r
Med.	ispVM System 18.0.2 XCF File Handling Overflow	30.05.2012	Unknown
High	Small CMS PHP Code Injection	28.05.2012	L3b-r1'z
High	PHP List 2.10.9 PHP Code Injection	28.05.2012	L3b-r1'z
High	WeBid converter.php Remote PHP Code Injection	26.05.2012	EgiX
High	OpenOffice OLE Importer DocumentSummaryInformation Stream Handling Overflow	24.05.2012	juan vazquez
High	Active Collab \"chat module\" 2.3.8 Remote PHP Code Injection	22.05.2012	mr_me
High	eLearning Server 4G Remote File Inclusion / SQL Injection	11.05.2012	Eugene Salov
High	phpEnter Code Injection	09.05.2012	L3b-r1'z
High	WebCalendar 1.2.4 Remote Code Injection (Metasploit)	01.05.2012	sinn3r
High	Microsoft MSCOMCTL ActiveX Buffer Overflow (MS12-027)	26.04.2012	juan vazquez and sinn3...
High	swDesk Shell Upload / Code Injection / XSS	02.02.2012	Red Security TEAM
Low	HostBill 2.3 Remote Code Injection	31.01.2012	Dr.DaShE
High	vBSEO 3.6.0 PHP Code Injection	31.01.2012	EgiX
High	Tiki Wiki CMS Groupware <= 8.2 (snarf_ajax.php) Remote PHP Code Injection	30.12.2011	Egidio Romano aka EgiX
High	PHP 5.3.7+ issue is_a function	11.11.2011	Cipriano Groenendal
High	Groones Simple Contact Form (abspath) Remote File Inclusion Vulnerability	11.11.2011	g1xsystem
High	HINNENDAHL.COM Gaestebuch 1.2 Remote File Inclusion Vulnerability	12.10.2011	bd0rk
High	HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Remote Code Execution	26.08.2011	HP
High	Symantec System Center Alert Management System (xfr.exe) Arbitrary Command Execution	24.08.2011	IBM

CVEMAP Search Results

CVE

Details

Description

2024-10-18

CVE-2024-9593

Updating...

The Time Clock plugin and Time Clock Pro plugin for WordPress are vulnerable to Remote Code Execution in versions up to, and including, 1.2.2 (for Time Clock) and 1.1.4 (for Time Clock Pro) via the 'etimeclockwp_load_function_callback' function. This allows unauthenticated attackers to execute code on the server. The invoked function's parameters cannot be specified.

2024-10-17

CVE-2024-45766	Updating...	Dell OpenManage Enterprise, version(s) OME 4.1 and prior, contain(s) an Improper Control of Generation of Code ('Code Injection') vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Code execution.
CVE-2024-49579	Updating...	In JetBrains YouTrack before 2024.3.47197 insecure plugin iframe allowed arbitrary JavaScript execution and unauthorized API requests
CVE-2024-10073	Updating...	A vulnerability, which was classified as critical, was found in flairNLP flair 0.14.0. Affected is the function ClusteringModel of the file flair\models\clustering.py of the component Mode File Loader. The manipulation leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

2024-10-16

	CVE-2024-9061	Updating...	The The WP Popup Builder �?? Popup Forms and Marketing Lead Generation plugin for WordPress is vulnerable to arbitrary shortcode execution via the wp_ajax_nopriv_shortcode_Api_Add AJAX action in all versions up to, and including, 1.3.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. NOTE: This vulnerability was partially fixed in version 1.3.5 with a nonce check, which effectively prevented access to the affected function. However, version 1.3.6 incorporates the correct authorization check to prevent unauthorized access.
	CVE-2024-49254	Updating...	Improper Control of Generation of Code ('Code Injection') vulnerability in Sunjianle allows Code Injection.This issue affects ajax-extend: from n/a through 1.0.

2024-10-15

CVE-2024-9837

Updating...

The The AADMY �?? Add Auto Date Month Year Into Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

2024-10-12

CVE-2024-8760

Updating...

The Stackable �?? Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users.

2024-10-10

CVE-2024-9581

Updating...

The Shortcodes AnyWhere plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.0.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

2024-10-07

CVE-2024-43363

Updating...

Cacti is an open source performance and fault management framework. An admin user can create a device with a malicious hostname containing php code and repeat the installation process (completing only step 5 of the installation process is enough, no need to complete the steps before or after it) to use a php file as the cacti log file. After having the malicious hostname end up in the logs (log poisoning), one can simply go to the log file url to execute commands to achieve RCE. This issue has been addressed in version 1.2.28 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

01.08.2023

20.06.2022

22.05.2022

22.05.2022

10.03.2022

16.12.2021

16.12.2021

10.11.2021

15.06.2021

31.05.2021

19.03.2021

17.03.2021

25.11.2020

13.05.2020

23.10.2019

22.10.2019

25.09.2019

05.09.2019

10.01.2019

10.01.2019

21.07.2018

02.07.2018

18.11.2017

11.09.2017

12.07.2017

11.05.2017

16.12.2016

15.11.2016

20.10.2016

17.08.2016

09.07.2016

24.06.2016

12.02.2016

23.12.2015

21.12.2015

08.12.2015

02.12.2015

05.11.2015

06.05.2015

05.03.2015

17.12.2014

21.11.2014

18.11.2014

29.10.2014

09.10.2014

02.10.2014

29.09.2014

28.09.2014

25.09.2014

19.06.2014

16.05.2014

29.01.2014

18.01.2014

08.12.2013

07.12.2013

13.11.2013

03.10.2013

02.08.2013

23.07.2013

13.06.2013

12.06.2013

11.06.2013

10.06.2013

06.06.2013

05.06.2013

03.06.2013

08.05.2013

30.04.2013

25.04.2013

25.04.2013

04.04.2013

26.01.2013

11.01.2013

05.01.2013

28.11.2012