Total
5306 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2019-17613 | 1 Qibosoft | 1 Qibosoft | 2024-11-21 | 9.8 Critical |
| qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in the content parameter. | ||||
| CVE-2019-17526 | 1 Sagemath | 1 Sagemathcell | 2024-11-21 | 9.8 Critical |
| An issue was discovered in SageMath Sage Cell Server through 2019-10-05. Python Code Injection can occur in the context of an internet facing web application. Malicious actors can execute arbitrary commands on the underlying operating system, as demonstrated by an __import__('os').popen('whoami').read() line. NOTE: the vendor's position is that the product is "vulnerable by design" and the current behavior will be retained | ||||
| CVE-2019-17408 | 1 Zzzcms | 1 Zzzphp | 2024-11-21 | 9.8 Critical |
| parserIfLabel in inc/zzz_template.php in ZZZCMS zzzphp 1.7.3 allows remote attackers to execute arbitrary code because the danger_key function can be bypassed via manipulations such as strtr. | ||||
| CVE-2019-17310 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Campaigns module by an Admin user. | ||||
| CVE-2019-17309 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the EmailMan module by an Admin user. | ||||
| CVE-2019-17308 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user. | ||||
| CVE-2019-17307 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user. | ||||
| CVE-2019-17306 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user. | ||||
| CVE-2019-17305 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Regular user. | ||||
| CVE-2019-17304 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user. | ||||
| CVE-2019-17303 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by a Developer user. | ||||
| CVE-2019-17302 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by a Developer user. | ||||
| CVE-2019-17301 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the ModuleBuilder module by an Admin user. | ||||
| CVE-2019-17300 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 8.8 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user. | ||||
| CVE-2019-17299 | 1 Sugarcrm | 1 Sugarcrm | 2024-11-21 | 7.2 High |
| SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user. | ||||
| CVE-2019-17268 | 1 Omniauth-weibo-oauth2 Project | 1 Omniauth-weibo-oauth2 | 2024-11-21 | 9.8 Critical |
| The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected. | ||||
| CVE-2019-17132 | 1 Vbulletin | 1 Vbulletin | 2024-11-21 | 9.8 Critical |
| vBulletin through 5.5.4 mishandles custom avatars. | ||||
| CVE-2019-16885 | 1 Okay-cms | 1 Okaycms | 2024-11-21 | 9.8 Critical |
| In OkayCMS through 2.3.4, an unauthenticated attacker can achieve remote code execution by injecting a malicious PHP object via a crafted cookie. This could happen at two places: first in view/ProductsView.php using the cookie price_filter, and second in api/Comparison.php via the cookie comparison. | ||||
| CVE-2019-16774 | 1 Phpfastcache | 1 Phpfastcache | 2024-11-21 | 4.4 Medium |
| In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver. | ||||
| CVE-2019-16645 | 1 Embedthis | 1 Goahead | 2024-11-21 | 8.6 High |
| An issue was discovered in Embedthis GoAhead 2.5.0. Certain pages (such as goform/login and config/log_off_page.htm) create links containing a hostname obtained from an arbitrary HTTP Host header sent by an attacker. This could potentially be used in a phishing attack. | ||||