Total
5446 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2018-17827 | 1 Hisiphp | 1 Hisiphp | 2024-11-21 | N/A |
| HisiPHP 1.0.8 allows remote attackers to execute arbitrary PHP code by editing a plugin's name to contain that code. This name is then injected into app/admin/model/AdminPlugins.php. | ||||
| CVE-2018-17364 | 1 Otcms | 1 Otcms | 2024-11-21 | N/A |
| OTCMS 3.61 allows remote attackers to execute arbitrary PHP code via the accBackupDir parameter. | ||||
| CVE-2018-17207 | 1 Snapcreek | 1 Duplicator | 2024-11-21 | 9.8 Critical |
| An issue was discovered in Snap Creek Duplicator before 1.2.42. By accessing leftover installer files (installer.php and installer-backup.php), an attacker can inject PHP code into wp-config.php during the database setup step, achieving arbitrary code execution. | ||||
| CVE-2018-17173 | 1 Lg | 1 Supersign Cms | 2024-11-21 | N/A |
| LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail. | ||||
| CVE-2018-17170 | 1 Teamwire | 1 Teamwire | 2024-11-21 | N/A |
| Grouptime Teamwire Desktop Client 1.5.1 prior to 1.9.0 on Windows allows code injection via a template, leading to remote code execution. All backend versions prior to prod-2018-11-13-15-00-42 are affected. | ||||
| CVE-2018-17134 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | N/A |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the cfg_author field in conjunction with a crafted cfg_webpath field. | ||||
| CVE-2018-17133 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | N/A |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting. | ||||
| CVE-2018-17132 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | N/A |
| admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter. | ||||
| CVE-2018-17131 | 1 Phpmywind | 1 Phpmywind | 2024-11-21 | N/A |
| admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field. | ||||
| CVE-2018-17126 | 1 Chshcms | 1 Cscms | 2024-11-21 | N/A |
| CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php. | ||||
| CVE-2018-17036 | 1 Ucms Project | 1 Ucms | 2024-11-21 | 9.8 Critical |
| An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php. | ||||
| CVE-2018-17030 | 1 Bigtreecms | 1 Bigtree Cms | 2024-11-21 | N/A |
| BigTree CMS 4.2.23 allows remote authenticated users, if possessing privileges to set hooks, to execute arbitrary code via /core/admin/auto-modules/forms/process.php. | ||||
| CVE-2018-16975 | 1 Elefantcms | 1 Elefant | 2024-11-21 | N/A |
| An issue was discovered in Elefant CMS before 2.0.7. There is a PHP Code Execution Vulnerability in /designer/add/stylesheet.php by using a .php extension in the New Stylesheet Name field in conjunction with <?php content, because of insufficient input validation in apps/designer/handlers/csspreview.php. | ||||
| CVE-2018-16771 | 1 Hoosk | 1 Hoosk | 2024-11-21 | N/A |
| Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php. | ||||
| CVE-2018-16604 | 1 Nibbleblog | 1 Nibbleblog | 2024-11-21 | N/A |
| An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes (e.g., "${phpinfo()}"). | ||||
| CVE-2018-16343 | 1 Seacms | 1 Seacms | 2024-11-21 | N/A |
| SeaCMS 6.61 allows remote attackers to execute arbitrary code because parseIf() in include/main.class.php does not block use of $GLOBALS. | ||||
| CVE-2018-16168 | 1 Jpcert | 1 Logontracer | 2024-11-21 | N/A |
| LogonTracer 1.2.0 and earlier allows remote attackers to conduct Python code injection attacks via unspecified vectors. | ||||
| CVE-2018-15886 | 1 Monstra | 1 Monstra | 2024-11-21 | N/A |
| Monstra CMS 3.0.4 does not properly restrict modified Snippet content, as demonstrated by the admin/index.php?id=snippets&action=edit_snippet&filename=google-analytics URI, which allows attackers to execute arbitrary PHP code by placing this code after a <?php substring. | ||||
| CVE-2018-15728 | 1 Couchbase | 1 Couchbase Server | 2024-11-21 | N/A |
| Couchbase Server exposed the '/diag/eval' endpoint which by default is available on TCP/8091 and/or TCP/18091. Authenticated users that have 'Full Admin' role assigned could send arbitrary Erlang code to the 'diag/eval' endpoint of the API and the code would subsequently be executed in the underlying operating system with privileges of the user which was used to start Couchbase. Affects Version: 4.0.0, 4.1.2, 4.5.1, 5.0.0, 4.6.5, 5.0.1, 5.1.1, 5.5.0, 5.5.1. Fix Version: 6.0.0, 5.5.2 | ||||
| CVE-2018-14910 | 1 Seacms | 1 Seacms | 2024-11-21 | N/A |
| SeaCMS v6.61 allows Remote Code execution by placing PHP code in an allowed IP address (aka ip) to /admin/admin_ip.php (aka /adm1n/admin_ip.php). The code is executed by visiting adm1n/admin_ip.php or data/admin/ip.php. This can also be exploited through CSRF. | ||||