Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1.

CVE-2023-3401MEDIUMCVSS 4.8EG 4.8

2023-08-02

An issue has been discovered in GitLab affecting all versions before 16.0.8, all versions starting from 16.1 before 16.1.3, all versions starting from 16.2 before 16.2.2. The main branch of a repository with a specially designed name allow…

CVE-2023-34112MEDIUMCVSS 4.3EG 4.3

2023-06-09

JavaCPP Presets is a project providing Java distributions of native C++ libraries. All the actions in the `bytedeco/javacpp-presets` use the `github.event.head_commit.message` parameter in an insecure way. For example, the commit messag…

CVE-2023-34195HIGHCVSS 7.8EG 7.8

2023-09-18

An issue was discovered in SystemFirmwareManagementRuntimeDxe in Insyde InsydeH2O with kernel 5.0 through 5.5. The implementation of the GetImage method retrieves the value of a runtime variable named GetImageProgress, and later uses this …

CVE-2023-34237HIGHCVSS 8.1EG 8.1

2023-06-07

SABnzbd is an open source automated Usenet download tool. A design flaw was discovered in SABnzbd that could allow remote code execution. Manipulating the Parameters setting in the Notification Script functionality allows code execution wi…

CVE-2023-34251CRITICALCVSS 9.9EG 9.9

2023-06-14

Grav is a flat-file content management system. Versions prior to 1.7.42 are vulnerable to server side template injection. Remote code execution is possible by embedding malicious PHP code on the administrator screen by a user with page edi…

CVE-2023-34252HIGHCVSS 8.8EG 8.8

2023-06-14

Grav is a flat-file content management system. Prior to version 1.7.42, there is a logic flaw in the `GravExtension.filterFilter()` function whereby validation against a denylist of unsafe functions is only performed when the argument pass…

CVE-2023-34253HIGHCVSS 8.8EG 8.8

2023-06-14

Grav is a flat-file content management system. Prior to version 1.7.42, the denylist introduced in commit 9d6a2d to prevent dangerous functions from being executed via injection of malicious templates was insufficient and could be easily s…

CVE-2023-34330HIGHCVSS 8.2EG 8.2

2023-07-18

AMI SPx contains a vulnerability in the BMC where a user may inject code which could be executed via a Dynamic Redfish Extension interface. A successful exploit of this vulnerability may lead to a loss of confidentiality, integrity, and av…

CVE-2023-34448HIGHCVSS 8.8EG 8.8

2023-06-14

Grav is a flat-file content management system. Prior to version 1.7.42, the patch for CVE-2022-2073, a server-side template injection vulnerability in Grav leveraging the default `filter()` function, did not block other built-in functions …

CVE-2023-34468HIGHCVSS 8.8EG 8.8

2023-06-12

The DBCPConnectionPool and HikariCPConnectionPool Controller Services in Apache NiFi 0.0.2 through 1.21.0 allow an authenticated and authorized user to configure a Database URL with the H2 driver that enables custom code execution. The re…

CVE-2023-34644CRITICALCVSS 9.8EG 9.8

2023-07-31

Remote code execution vulnerability in Ruijie Networks Product: RG-EW series home routers and repeaters EW_3.0(1)B11P204, RG-NBS and RG-S1930 series switches SWITCH_3.0(1)B11P218, RG-EG series business VPN routers EG_3.0(1)B11P216, EAP and…

CVE-2023-34842CRITICALCVSS 9.8EG 9.8

2023-07-31

Remote Code Execution vulnerability in DedeCMS through 5.7.109 allows remote attackers to run arbitrary code via crafted POST request to /dede/tpl.php.

CVE-2023-34990CRITICALCVSS 9.8EG 9.8

2024-12-18

A relative path traversal in Fortinet FortiWLM version 8.6.0 through 8.6.5 and 8.5.0 through 8.5.4 allows attacker to execute unauthorized code or commands via specially crafted web requests.

CVE-2023-34999HIGHCVSS 8.4EG 8.4

2023-09-18

A command injection vulnerability exists in RTS VLink Virtual Matrix Software Versions v5 (< 5.7.6) and v6 (< 6.5.0) that allows an attacker to perform arbitrary code execution via the admin web interface.

CVE-2023-35034CRITICALCVSS 9.8EG 9.8

2023-06-12

Atos Unify OpenScape 4000 Assistant V10 R1 before V10 R1.42.0 and V10 R1.34.8 and Manager V10 R1 before V10 R1.42.0 and V10 R1.34.8 allow remote code execution by unauthenticated users, aka OSFOURK-24033.

CVE-2023-35150CRITICALCVSS 9.9EG 9.9

2023-06-23

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute cod…

CVE-2023-35152CRITICALCVSS 9.9EG 9.9

2023-06-23

XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. L…

CVE-2023-3519CRITICALCVSS 9.8EG 9.8⚠ KEV

2023-07-19

Unauthenticated remote code execution

CVE-2023-35333HIGHCVSS 8.8EG 8.8

2023-07-11

MediaWiki PandocUpload Extension Remote Code Execution Vulnerability

CVE-2023-3551HIGHCVSS 7.2EG 7.2

2023-07-08

Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

CVE-2023-35701MEDIUMCVSS 6.6EG 6.6

2024-05-03

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC…

CVE-2023-35809HIGHCVSS 8.8EG 8.8

2023-06-17

An issue was discovered in SugarCRM Enterprise before 11.0.6 and 12.x before 12.0.3. A Bean Manipulation vulnerability has been identified in the REST API. By using a crafted request, custom PHP code can be injected through the REST API be…

CVE-2023-35813CRITICALCVSS 9.8EG 9.8

2023-06-17

Multiple Sitecore products allow remote code execution. This affects Experience Manager, Experience Platform, and Experience Commerce through 10.3.

CVE-2023-35853CRITICALCVSS 9.8EG 9.8

2023-06-19

In Suricata before 6.0.13, an adversary who controls an external source of Lua rules may be able to execute Lua code. This is addressed in 6.0.13 by disabling Lua unless allow-rules is true in the security lua configuration section.

CVE-2023-35897HIGHCVSS 8.4EG 8.4

2023-10-06

IBM Spectrum Protect Client and IBM Storage Protect for Virtual Environments 8.1.0.0 through 8.1.19.0 could allow a local user to execute arbitrary code on the system using a specially crafted file, caused by a DLL hijacking flaw. IBM X-F…

CVE-2023-35926HIGHCVSS 8.0EG 8.0

2023-06-22

Backstage is an open platform for building developer portals. The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. The library used for this sandbox so far has …

CVE-2023-36014HIGHCVSS 7.3EG 7.3

2023-11-10

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-36022MEDIUMCVSS 6.6EG 6.6

2023-11-03

Microsoft Edge (Chromium-based) Remote Code Execution Vulnerability

CVE-2023-36095CRITICALCVSS 9.8EG 9.8

2023-08-05

An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt.

CVE-2023-36177CRITICALCVSS 9.8EG 9.8

2024-01-23

An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.

CVE-2023-36255HIGHCVSS 8.8EG 9.0

2023-08-03

An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.

CVE-2023-36258CRITICALCVSS 9.8EG 9.8

2023-07-03

An issue in LangChain before 0.0.236 allows an attacker to execute arbitrary code because Python code with os.system, exec, or eval can be used.

CVE-2023-36281CRITICALCVSS 9.8EG 9.8

2023-08-22

An issue in langchain v.0.0.171 allows a remote attacker to execute arbitrary code via a JSON file to load_prompt. This is related to __subclasses__ or a template.

CVE-2023-36437HIGHCVSS 8.8EG 8.8

2023-11-14

Azure DevOps Server Remote Code Execution Vulnerability

CVE-2023-36467HIGHCVSS 8.0EG 8.0

2023-06-28

AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘…

CVE-2023-36542HIGHCVSS 8.8EG 8.8

2023-07-29

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code executi…

CVE-2023-3656CRITICALCVSS 9.8EG 9.8

2023-10-03

cashIT! - serving solutions. Devices from "PoS/ Dienstleistung, Entwicklung & Vertrieb GmbH" to 03.A06rks 2023.02.37 are affected by an unauthenticated remote code execution vulnerability. This vulnerability can be triggered by an HTTP end…

CVE-2023-36570HIGHCVSS 7.3EG 7.3

2023-10-10