CWE-94— Improper Control of Generation of Code (Code Injection)
6,193 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-94page 17 of 124
- CVE-2008-3764NONECVSS 0.0EG 0.02008-08-21
Eval injection vulnerability in globalsoff.php in Turnkey PHP Live Helper 2.0.1 and earlier allows remote attackers to execute arbitrary PHP code via the test parameter, and probably arbitrary parameters, to chat.php.
- CVE-2008-3769NONECVSS 0.0EG 0.02008-08-22
PHP remote file inclusion vulnerability in admin/create_order_new.php in Freeway 1.4.1.171, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the include_page parameter.
- CVE-2008-3882NONECVSS 0.0EG 0.02008-09-02
Unspecified "Command Injection" vulnerability in ZoneMinder 1.23.3 and earlier allows remote attackers to execute arbitrary commands via (1) the executeFilter function in zm_html_view_events.php and (2) the run_state parameter to zm_html_v…
- CVE-2008-3919NONECVSS 0.0EG 0.02008-09-04
Unspecified vulnerability in multiple JustSystems Ichitaro products allows remote attackers to execute arbitrary code via a crafted JTD document, as exploited in the wild in August 2008.
- CVE-2008-3922NONECVSS 0.0EG 9.02008-09-04
awstatstotals.php in AWStats Totals 1.0 through 1.14 allows remote attackers to execute arbitrary code via PHP sequences in the sort parameter, which is used by the multisort function when dynamically creating an anonymous PHP function.
- CVE-2008-3949NONECVSS 0.0EG 0.02008-09-22
emacs/lisp/progmodes/python.el in Emacs 22.1 and 22.2 imports Python script from the current working directory during editing of a Python file, which allows local users to execute arbitrary code via a Trojan horse Python file.
- CVE-2008-3956NONECVSS 0.0EG 0.02008-09-11
orgchart.exe in Microsoft Organization Chart 2.00 allows user-assisted attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted .opx file.
- CVE-2008-4024NONECVSS 0.0EG 0.02008-12-10
Microsoft Office Word 2000 SP3 and 2002 SP3 and Office 2004 for Mac allow remote attackers to execute arbitrary code via a Word document with a crafted lcbPlcfBkfSdt field in the File Information Block (FIB), which bypasses an initializati…
- CVE-2008-4047NONECVSS 0.0EG 0.02008-09-11
Unspecified vulnerability in Novell Forum (formerly SiteScape Forum) 7.0, 7.1, 7.2, 7.3, and 8.0 allows remote attackers to execute arbitrary TCL code via a modified URL. NOTE: this might overlap CVE-2007-6515.
- CVE-2008-4134NONECVSS 0.0EG 0.02008-09-19
PHP remote file inclusion vulnerability in manager/static/view.php in phpRealty 0.03 and earlier, and possibly other versions before 0.05, allows remote attackers to execute arbitrary PHP code via a URL in the INC parameter.
- CVE-2008-4138NONECVSS 0.0EG 0.02008-09-24
PHP remote file inclusion vulnerability in skin_shop/standard/3_plugin_twindow/twindow_notice.php in TECHNOTE 7 allows remote attackers to execute arbitrary PHP code via a URL in the shop_this_skin_path parameter.
- CVE-2008-4141NONECVSS 0.0EG 0.02008-09-24
Multiple PHP remote file inclusion vulnerabilities in x10Media x10 Automatic MP3 Script 1.5.5 allow remote attackers to execute arbitrary PHP code via a URL in the web_root parameter to (1) includes/function_core.php and (2) templates/layo…
- CVE-2008-4188NONECVSS 0.0EG 0.02008-09-23
Unspecified vulnerability in the TYPO3 Secure Directory (kw_secdir) extension before 1.0.2 allows remote attackers to execute arbitrary code via unknown vectors related to "injection of control characters."
- CVE-2008-4206NONECVSS 0.0EG 0.02008-09-24
PHP remote file inclusion vulnerability in config.php in Attachmax Dolphin 2.1.0 and earlier, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the rel_path parameter.
- CVE-2008-4250CRITICALCVSS 9.8EG 9.8⚠ KEV2008-10-23
The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overfl…
- CVE-2008-4305NONECVSS 0.0EG 0.02008-12-23
Static code injection vulnerability in installation/setup.php in phpCollab 2.5 rc3 and earlier allows remote authenticated administrators to inject arbitrary PHP code into include/settings.php via the URI.
- CVE-2008-4385NONECVSS 0.0EG 0.02008-10-14
Husdawg, LLC Systems Requirements Lab 3, as used by Instant Expert Analysis, allows remote attackers to force the download and execution of arbitrary programs via by specifiying a malicious website argument to the Init method in (1) a cert…
- CVE-2008-4387NONECVSS 0.0EG 0.02008-11-10
Unspecified vulnerability in the Simba MDrmSap ActiveX control in mdrmsap.dll in SAP SAPgui allows remote attackers to execute arbitrary code via unknown vectors involving instantiation by Internet Explorer.
- CVE-2008-4439NONECVSS 0.0EG 0.02008-10-03
PHP remote file inclusion vulnerability in admin/bin/patch.php in MartinWood Datafeed Studio before 1.6.3 allows remote attackers to execute arbitrary PHP code via a URL in the INSTALL_FOLDER parameter. NOTE: the provenance of this informa…
- CVE-2008-4451NONECVSS 0.0EG 0.02008-10-06
The SysInspector AntiStealth driver (esiasdrv.sys) 3.0.65535.0 in ESET System Analyzer Tool 1.1.1.0 allows local users to execute arbitrary code via a certain METHOD_NEITHER IOCTL request to \Device\esiasdrv that overwrites a pointer.
- CVE-2008-4502NONECVSS 0.0EG 0.02008-10-09
Multiple PHP remote file inclusion vulnerabilities in DataFeedFile (DFF) PHP Framework API allow remote attackers to execute arbitrary PHP code via a URL in the DFF_config[dir_include] parameter to (1) DFF_affiliate_client_API.php, (2) DFF…
- CVE-2008-4529NONECVSS 0.0EG 0.02008-10-09
Multiple PHP remote file inclusion vulnerabilities in asiCMS alpha 0.208 allow remote attackers to execute arbitrary PHP code via a URL in the _ENV[asicms][path] parameter to (1) Association.php, (2) BigMath.php, (3) DiffieHellman.php, (4)…
- CVE-2008-4557NONECVSS 0.0EG 0.02008-10-14
plugins/wacko/highlight/html.php in Strawberry in CuteNews.ru 1.1.1 (aka Strawberry) allows remote attackers to execute arbitrary PHP code via the text parameter, which is inserted into an executable regular expression.
- CVE-2008-4624NONECVSS 0.0EG 0.02008-10-21
PHP remote file inclusion vulnerability in init.php in Fast Click SQL Lite 1.1.7, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the CFG[CDIR] parameter.
- CVE-2008-4645NONECVSS 0.0EG 0.02008-10-22
plugins/event_tracer/event_list.php in PhpWebGallery 1.7.2 and earlier allows remote authenticated administrators to execute arbitrary PHP code via PHP sequences in the sort parameter, which is processed by create_function.
- CVE-2008-4673NONECVSS 0.0EG 0.02008-10-22
PHP remote file inclusion vulnerability in panel/common/theme/default/header_setup.php in WebBiscuits Software Events Calendar 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the (1) path[docroot] and (2) component p…
- CVE-2008-4687NONECVSS 0.0EG 0.02008-10-22
manage_proj_page.php in Mantis before 1.1.4 allows remote authenticated users to execute arbitrary code via a sort parameter containing PHP sequences, which are processed by create_function within the multi_sort function in core/utility_ap…
- CVE-2008-4704NONECVSS 0.0EG 0.02008-10-23
PHP remote file inclusion vulnerability in SezHooTabsAndActions.php in SezHoo 0.1 allows remote attackers to execute arbitrary PHP code via a URL in the IP parameter.
- CVE-2008-4719NONECVSS 0.0EG 0.02008-10-23
PHP remote file inclusion vulnerability in cms/classes/openengine/filepool.php in openEngine 2.0 beta2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the oe_classpath parameter, a diff…
- CVE-2008-4720NONECVSS 0.0EG 0.02008-10-23
Multiple PHP remote file inclusion vulnerabilities in The Gemini Portal 4.7 allow remote attackers to execute arbitrary PHP code via a URL in the lang parameter to (1) page/forums/bottom.php and (2) page/forums/category.php.
- CVE-2008-4735NONECVSS 0.0EG 0.02008-10-24
PHP remote file inclusion vulnerability in header.php in Concord Asset, Software, and Ticket system (CoAST) 0.95 allows remote attackers to execute arbitrary PHP code via a URL in the sections_file parameter.
- CVE-2008-4798NONECVSS 0.0EG 0.02008-10-30
The loadModule function in lib/WebGUI/Asset.pm in WebGUI before 7.5.30 (stable) allows remote attackers to execute arbitrary code by uploading a Perl module and accessing it via a crafted URL.
- CVE-2008-4810NONECVSS 0.0EG 0.02008-10-31
The _expand_quoted_text function in libs/Smarty_Compiler.class.php in Smarty 2.6.20 before r2797 allows remote attackers to execute arbitrary PHP code via vectors related to templates and (1) a dollar-sign character, aka "php executed in t…
- CVE-2008-4911NONECVSS 0.0EG 0.02008-11-04
PHP remote file inclusion vulnerability in read.php in Chattaitaliano Istant-Replay allows remote attackers to execute arbitrary PHP code via a URL in the data parameter.
- CVE-2008-5015NONECVSS 0.0EG 0.02008-11-13
Mozilla Firefox 3.x before 3.0.4 assigns chrome privileges to a file: URI when it is accessed in the same tab from a chrome or privileged about: page, which makes it easier for user-assisted attackers to execute arbitrary JavaScript with c…
- CVE-2008-5053NONECVSS 0.0EG 0.02008-11-13
PHP remote file inclusion vulnerability in admin.rssreader.php in the Simple RSS Reader (com_rssreader) 1.0 component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_live_site parameter.
- CVE-2008-5060NONECVSS 0.0EG 0.02008-11-13
Multiple PHP remote file inclusion vulnerabilities in ModernBill 4.4 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the DIR parameter to (1) export_batch.inc.php, (2) run_auto_suspend.cron.php, and (3) send_e…
- CVE-2008-5063NONECVSS 0.0EG 0.02008-11-13
PHP remote file inclusion vulnerability in Admin/ADM_Pagina.php in OTManager 2.4 allows remote attackers to execute arbitrary PHP code via a URL in the Tipo parameter.
- CVE-2008-5066NONECVSS 0.0EG 0.02008-11-13
PHP remote file inclusion vulnerability in upload/admin/frontpage_right.php in Agares Media ThemeSiteScript 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the loadadminpage parameter.
- CVE-2008-5071NONECVSS 0.0EG 0.02008-11-14
Multiple eval injection vulnerabilities in itpm_estimate.php in Yoxel 1.23beta and earlier allow remote authenticated users to execute arbitrary PHP code via the proj_id parameter.
- CVE-2008-5090NONECVSS 0.0EG 0.02008-11-14
Electron Inc. Advanced Electron Forum before 1.0.7 allows remote attackers to execute arbitrary PHP code via PHP code embedded in bbcode in the email parameter, which is processed by the preg_replace function with the eval switch.
- CVE-2008-5108NONECVSS 0.0EG 0.02008-11-17
Unspecified vulnerability in Adobe AIR 1.1 and earlier allows context-dependent attackers to execute untrusted JavaScript in an AIR application via unknown attack vectors.
- CVE-2008-5167NONECVSS 0.0EG 0.02008-11-19
PHP remote file inclusion vulnerability in layout/default/params.php in Boonex Orca 2.0 and 2.0.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the gConf[dir][layouts] parameter.
- CVE-2008-5173NONECVSS 0.0EG 0.02008-11-19
Unspecified vulnerability in testMaker before 3.0p16 allows remote authenticated users to execute arbitrary PHP code via unspecified attack vectors.
- CVE-2008-5199NONECVSS 0.0EG 0.02008-11-21
PHP remote file inclusion vulnerability in include.php in PHPOutsourcing IdeaBox (aka IdeBox) 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the gorumDir parameter.
- CVE-2008-5206NONECVSS 0.0EG 0.02008-11-21
PHP remote file inclusion vulnerability in modules/mod_mainmenu.php in MosXML 1 Alpha allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter. NOTE: the provenance of this information is un…
- CVE-2008-5210NONECVSS 0.0EG 0.02008-11-24
Multiple PHP remote file inclusion vulnerabilities in PhpBlock A8.5 allow remote attackers to execute arbitrary PHP code via a URL in the PATH_TO_CODE parameter to (1) script/init/createallimagecache.php, (2) allincludefortick.php and (3) …
- CVE-2008-5227NONECVSS 0.0EG 0.02008-11-25
Unspecified vulnerability in PHPCow allows remote attackers to execute arbitrary code via unknown vectors, related to a "file inclusion vulnerability," as exploited in the wild in November 2008.
- CVE-2008-5288NONECVSS 0.0EG 0.02008-12-01
PHP remote file inclusion vulnerability in include/header.php in Werner Hilversum FAQ Manager 1.2, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via a URL in the config_path parameter.
- CVE-2008-5305NONECVSS 0.0EG 0.02008-12-10
Eval injection vulnerability in TWiki before 4.2.4 allows remote attackers to execute arbitrary Perl code via the %SEARCH{}% variable.
Map vulnerabilities like CWE-94 to your infrastructure
EchelonGraph correlates every CVE — across CWE-94 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →