Search
Total
2052 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2013-2827 | 1 Wellintech | 3 Kingalarm\&event, Kinggraphic, Kingscada | 2014-01-16 | 7.5 HIGH | N/A |
| An unspecified ActiveX control in WellinTech KingSCADA before 3.1.2, KingAlarm&Event before 3.1, and KingGraphic before 3.1.2 allows remote attackers to download arbitrary DLL code onto a client machine and execute this code via the ProjectURL property value. | |||||
| CVE-2013-6385 | 1 Drupal | 1 Drupal | 2014-01-14 | 5.1 MEDIUM | N/A |
| The form API in Drupal 6.x before 6.29 and 7.x before 7.24, when used with unspecified third-party modules, performs form validation even when CSRF validation has failed, which might allow remote attackers to trigger application-specific impacts such as arbitrary code execution via application-specific vectors. | |||||
| CVE-2012-0262 | 1 Op5 | 2 Monitor, System-op5config | 2014-01-02 | 10.0 HIGH | N/A |
| op5config/welcome in system-op5config before 2.0.3 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the password parameter. | |||||
| CVE-2012-0261 | 1 Op5 | 2 Monitor, System-portal | 2014-01-02 | 10.0 HIGH | N/A |
| license.php in system-portal before 1.6.2 in op5 Monitor and op5 Appliance before 5.5.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the timestamp parameter for an install action. | |||||
| CVE-2013-6795 | 1 Rackspace | 1 Openstack Windows Guest Agent | 2013-12-26 | 9.3 HIGH | N/A |
| The Updater in Rackspace Openstack Windows Guest Agent for XenServer before 1.2.6.0 allows remote attackers to execute arbitrary code via a crafted serialized .NET object to TCP port 1984, which triggers the download and extraction of a ZIP file that overwrites the Agent service binary. | |||||
| CVE-2013-6421 | 1 Projectsprouts | 1 Sprout | 2013-12-20 | 7.5 HIGH | N/A |
| The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path. | |||||
| CVE-2013-4478 | 1 Supmua | 1 Sup | 2013-12-09 | 6.8 MEDIUM | N/A |
| Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment. | |||||
| CVE-2013-4446 | 2 Drupal, Steven Jones | 2 Drupal, Context | 2013-12-09 | 6.8 MEDIUM | N/A |
| The _json_decode function in plugins/context_reaction_block.inc in the Context module 6.x-2.x before 6.x-3.2 and 7.x-3.x before 7.x-3.0 for Drupal, when using a version of PHP that does not support the json_decode function, allows remote attackers to execute arbitrary PHP code via unspecified vectors related to Ajax operations, possibly involving eval injection. | |||||
| CVE-2013-1899 | 2 Canonical, Postgresql | 2 Ubuntu Linux, Postgresql | 2013-12-01 | 6.5 MEDIUM | N/A |
| Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen). | |||||
| CVE-2013-5912 | 1 Thomsonreuters | 1 Velocity Analytics Vhayu Analytic Server | 2013-11-29 | 10.0 HIGH | N/A |
| VhttpdMgr in Thomson Reuters Velocity Analytics Vhayu Analytic Server 6.94 build 2995 allows remote attackers to execute arbitrary code via a URL in the fileName parameter during an importFile action. | |||||
| CVE-2013-6866 | 1 Sybase | 1 Adaptive Server Enterprise | 2013-11-27 | 9.0 HIGH | N/A |
| SAP Sybase Adaptive Server Enterprise (ASE) before 15.0.3 ESD#4.3, 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka CR736689. | |||||
| CVE-2013-6865 | 1 Sybase | 1 Adaptive Server Enterprise | 2013-11-25 | 9.0 HIGH | N/A |
| SAP Sybase Adaptive Server Enterprise (ASE) 15.0.3 before 15.0.3 ESD#4.3, 15.5 before 15.5 ESD#5.3, and 15.7 before 15.7 SP50 or 15.7 SP100 allows remote authenticated users to execute arbitrary code via unspecified vectors, aka CR732989. | |||||
| CVE-2013-6830 | 1 Pineapp | 1 Mail-secure 5099sk | 2013-11-25 | 7.5 HIGH | N/A |
| admin/confnetworking.html in PineApp Mail-SeCure 3.70 and earlier on 5099SK and earlier platforms allows remote attackers to execute arbitrary commands via shell metacharacters in the nsserver parameter during an nslookup operation. | |||||
| CVE-2013-6829 | 1 Pineapp | 1 Mail-secure | 2013-11-21 | 7.5 HIGH | N/A |
| admin/confnetworking.html in PineApp Mail-SeCure allows remote attackers to execute arbitrary commands via shell metacharacters in the pinghost parameter during a ping operation. | |||||
| CVE-2013-3239 | 1 Phpmyadmin | 1 Phpmyadmin | 2013-11-19 | 4.6 MEDIUM | N/A |
| phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. | |||||
| CVE-2013-6366 | 1 Vmware | 1 Hyperic Hq | 2013-11-07 | 6.5 MEDIUM | N/A |
| The Groovy script console in VMware Hyperic HQ 4.6.6 allows remote authenticated administrators to execute arbitrary code via a Runtime.getRuntime().exec call. | |||||
| CVE-2013-4438 | 1 Saltstack | 1 Salt | 2013-11-07 | 7.5 HIGH | N/A |
| Salt (aka SaltStack) before 0.17.1 allows remote attackers to execute arbitrary YAML code via unspecified vectors. NOTE: the vendor states that this might not be a vulnerability because the YAML to be loaded has already been determined to be safe. | |||||
| CVE-2013-3631 | 1 Nas4free | 1 Nas4free | 2013-11-05 | 6.0 MEDIUM | N/A |
| NAS4Free 9.1.0.1.804 and earlier allows remote authenticated users to execute arbitrary PHP code via a request to exec.php, aka the "Advanced | Execute Command" feature. NOTE: this issue might not be a vulnerability, since it appears to be part of legitimate, intentionally-exposed functionality by the developer and is allowed within the intended security policy. | |||||
| CVE-2013-6349 | 1 Mcafee | 1 Email Gateway | 2013-11-04 | 8.5 HIGH | N/A |
| McAfee Email Gateway (MEG) 7.0 before 7.0.4 and 7.5 before 7.5.1 allows remote authenticated users to execute arbitrary commands via unspecified vectors. | |||||
| CVE-2013-2208 | 1 Andreas Krennmair | 1 Tpp | 2013-10-30 | 6.8 MEDIUM | N/A |
| tpp 1.3.1 allows remote attackers to execute arbitrary commands via a --exec command in a TPP template file. | |||||
| CVE-2013-3244 | 1 Sap | 1 Erp Central Component | 2013-10-25 | 6.0 MEDIUM | N/A |
| Multiple unspecified vulnerabilities in the CJDB_FILL_MEMORY_FROM_PPB function in the Project System (PS-IS) module for SAP ERP Central Component (ECC) allow remote attackers to execute arbitrary code via a (1) RFC or (2) SOAP-RFC request. | |||||
| CVE-2013-4203 | 1 Richard Cook | 1 Rgpg | 2013-10-15 | 7.5 HIGH | N/A |
| The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. | |||||
| CVE-2013-3651 | 1 Lockon | 1 Ec-cube | 2013-10-11 | 7.5 HIGH | N/A |
| LOCKON EC-CUBE 2.11.2 through 2.12.4 allows remote attackers to conduct unspecified PHP code-injection attacks via a crafted string, related to data/class/SC_CheckError.php and data/class/SC_FormParam.php. | |||||
| CVE-2013-5093 | 1 Graphite Project | 1 Graphite | 2013-10-07 | 6.8 MEDIUM | N/A |
| The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object. | |||||
| CVE-2013-5942 | 1 Graphite Project | 1 Graphite | 2013-10-07 | 6.8 MEDIUM | N/A |
| Graphite 0.9.5 through 0.9.10 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to (1) remote_storage.py, (2) storage.py, (3) render/datalib.py, and (4) whitelist/views.py, a different vulnerability than CVE-2013-5093. | |||||
| CVE-2013-6009 | 1 Open-xchange | 1 Open-xchange Appsuite | 2013-10-04 | 4.3 MEDIUM | N/A |
| CRLF injection vulnerability in Open-Xchange AppSuite before 7.2.2, when using AJP in certain conditions, allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the ajax/defer servlet. | |||||
| CVE-2013-0689 | 2 Emerson, Enea | 4 Dl 8000 Remote Terminal Unit, Roc 800 Remote Terminal Unit, Roc 800l Remote Terminal Unit and 1 more | 2013-10-03 | 10.0 HIGH | N/A |
| The TFTP server on the Emerson Process Management ROC800 RTU with software 3.50 and earlier, DL8000 RTU with software 2.30 and earlier, and ROC800L RTU with software 1.20 and earlier allows remote attackers to upload files and consequently execute arbitrary code via unspecified vectors. | |||||
| CVE-2013-4338 | 1 Wordpress | 1 Wordpress | 2013-10-02 | 7.5 HIGH | N/A |
| wp-includes/functions.php in WordPress before 3.6.1 does not properly determine whether data has been serialized, which allows remote attackers to execute arbitrary code by triggering erroneous PHP unserialize operations. | |||||
| CVE-2013-2582 | 1 Open-xchange | 2 Open-xchange Appsuite, Open-xchange Server | 2013-09-26 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in the redirect servlet in Open-Xchange AppSuite and Server before 6.22.0 rev15, 6.22.1 before rev17, 7.0.1 before rev6, and 7.0.2 before rev7 allows remote attackers to inject arbitrary HTTP headers and conduct open redirect attacks by leveraging improper sanitization of whitespace characters. | |||||
| CVE-2013-1647 | 1 Open-xchange | 1 Open-xchange Server | 2013-09-26 | 5.0 MEDIUM | N/A |
| Multiple CRLF injection vulnerabilities in Open-Xchange Server before 6.20.7 rev14, 6.22.0 before rev13, and 6.22.1 before rev14 allow remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted parameter, as demonstrated by (1) the location parameter to ajax/redirect or (2) multiple infostore URIs. | |||||
| CVE-2013-4813 | 1 Hp | 2 Identity Driven Manager, Procurve Manager | 2013-09-26 | 10.0 HIGH | N/A |
| The Agent (aka AgentController) servlet in HP ProCurve Manager (PCM) 3.20 and 4.0, PCM+ 3.20 and 4.0, and Identity Driven Manager (IDM) 4.0 allows remote attackers to execute arbitrary commands via a HEAD request, aka ZDI-CAN-1745. | |||||
| CVE-2011-5147 | 1 Freewebshop | 1 Freewebshop | 2013-09-12 | 5.0 MEDIUM | N/A |
| Static code injection vulnerability in ajax_save_name.php in the Ajax File Manager module in the tinymce plugin in FreeWebshop 2.2.9 R2 and earlier allows remote attackers to inject arbitrary PHP code into data.php via the selected document, as demonstrated by a call to ajax_file_cut.php and then to ajax_save_name.php. | |||||
| CVE-2006-6957 | 1 Docebo | 1 Docebo | 2013-08-31 | 6.8 MEDIUM | N/A |
| PHP remote file inclusion vulnerability in addons/mod_media/body.php in Docebo 3.0.3 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the GLOBALS[where_framework] parameter. NOTE: this issue might be resultant from a global overwrite vulnerability. This issue is similar to CVE-2006-2576 and CVE-2006-3107, but the vectors are different. | |||||
| CVE-2013-1435 | 1 Cacti | 1 Cacti | 2013-08-30 | 7.5 HIGH | N/A |
| (1) snmp.php and (2) rrd.php in Cacti before 0.8.8b allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors. | |||||
| CVE-2013-5647 | 2 Adam Zaninovich, Ruby-lang | 2 Sounder, Ruby | 2013-08-29 | 7.5 HIGH | N/A |
| lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename. | |||||
| CVE-2013-4172 | 1 Redhat | 1 Cloudforms Management Engine | 2013-08-27 | 8.5 HIGH | N/A |
| The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors. | |||||
| CVE-2013-3373 | 1 Bestpractical | 1 Rt | 2013-08-26 | 5.0 MEDIUM | N/A |
| CRLF injection vulnerability in Request Tracker (RT) 3.8.x before 3.8.17 and 4.0.x before 4.0.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a MIME header. | |||||
| CVE-2013-2802 | 1 Sixnet | 2 Rtu Firmware, Udr | 2013-08-23 | 10.0 HIGH | N/A |
| The universal protocol implementation in Sixnet UDR before 2.0 and RTU firmware before 4.8 allows remote attackers to execute arbitrary code; read, modify, or create files; or obtain file metadata via function opcodes. | |||||
| CVE-2013-3402 | 1 Cisco | 1 Unified Communications Manager | 2013-08-20 | 6.5 MEDIUM | N/A |
| An unspecified function in Cisco Unified Communications Manager (CUCM) 7.1(x) through 9.1(2) allows remote authenticated users to execute arbitrary commands via unknown vectors, aka Bug ID CSCuh73440. | |||||
| CVE-2010-3313 | 1 Egroupware | 1 Egroupware | 2013-08-18 | 7.5 HIGH | N/A |
| phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters. | |||||
| CVE-2013-3383 | 1 Cisco | 2 Ironport Asyncos, Web Security Appliance | 2013-06-28 | 9.0 HIGH | N/A |
| The web framework in IronPort AsyncOS on Cisco Web Security Appliance devices before 7.1.3-013, 7.5 before 7.5.0-838, and 7.7 before 7.7.0-550 allows remote authenticated users to execute arbitrary commands via crafted command-line input in a URL sent over IPv4, aka Bug ID CSCzv69294. | |||||
| CVE-2012-4008 | 1 Cybozu | 1 Cybozu Live | 2013-06-19 | 6.8 MEDIUM | N/A |
| The Cybozu Live application 1.0.4 and earlier for Android allows remote attackers to execute arbitrary Java methods, and obtain sensitive information or execute arbitrary commands, via a crafted web site. | |||||
| CVE-2012-4009 | 1 Cybozu | 1 Cybozu Live | 2013-06-19 | 6.8 MEDIUM | N/A |
| The WebView class in the Cybozu Live application 1.0.4 and earlier for Android allows remote attackers to execute arbitrary JavaScript code, and obtain sensitive information, via a crafted application that places this code into a local file associated with a file: URL. | |||||
| CVE-2013-3520 | 1 Vmware | 1 Vcenter Chargeback Manager | 2013-06-18 | 7.5 HIGH | N/A |
| VMware vCenter Chargeback Manager (aka CBM) before 2.5.1 does not proper handle uploads, which allows remote attackers to execute arbitrary code via unspecified vectors. | |||||
| CVE-2013-0143 | 1 Qnap | 3 Nas, Surveillance Station Pro, Viostor Network Video Recorder | 2013-06-10 | 6.5 MEDIUM | N/A |
| cgi-bin/pingping.cgi on QNAP VioStor NVR devices with firmware 4.0.3, and in the Surveillance Station Pro component in QNAP NAS, allows remote authenticated users to execute arbitrary commands by leveraging guest access and placing shell metacharacters in the query string. | |||||
| CVE-2012-4707 | 1 3s-software | 1 Codesys Gateway-server | 2013-05-21 | 10.0 HIGH | N/A |
| 3S CODESYS Gateway-Server before 2.3.9.27 allows remote attackers to execute arbitrary code via vectors that trigger an out-of-bounds memory access. | |||||
| CVE-2013-3508 | 1 Gwos | 1 Groundwork Monitor | 2013-05-08 | 6.5 MEDIUM | N/A |
| html/System-Files.php in the System File Overview feature in the NeDi component in GroundWork Monitor Enterprise 6.7.0 allows remote authenticated users to execute arbitrary commands via vectors involving file editing. | |||||
| CVE-2013-3079 | 1 Vmware | 1 Vcenter Server Appliance | 2013-05-01 | 9.0 HIGH | N/A |
| VMware vCenter Server Appliance (vCSA) 5.1 before Update 1 allows remote authenticated users to execute arbitrary programs with root privileges by leveraging Virtual Appliance Management Interface (VAMI) access. | |||||
| CVE-2013-0132 | 1 Parallels | 1 Parallels Plesk Panel | 2013-04-19 | 6.8 MEDIUM | N/A |
| The suexec implementation in Parallels Plesk Panel 11.0.9 contains a cgi-wrapper whitelist entry, which allows user-assisted remote attackers to execute arbitrary PHP code via a request containing crafted environment variables. | |||||
| CVE-2012-2085 | 1 Gajim | 1 Gajim | 2013-04-19 | 6.8 MEDIUM | N/A |
| The exec_command function in common/helpers.py in Gajim before 0.15 allows user-assisted remote attackers to execute arbitrary commands via shell metacharacters in an href attribute. | |||||