CVE-2024-21511

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function...

CVE-2024-21511

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function...

CVE-2024-21511

Versions of the package mysql2 before 3.9.7 are vulnerable to Arbitrary Code Injection due to improper sanitization of the timezone parameter in the readCodeFor function by calling a native MySQL Server date/time function...

CVE-2024-3660 Arbitrary code injection vulnerability in Keras framework < 2.13

A arbitrary code injection vulnerability in TensorFlow's Keras framework 2.13 allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application...

CVE-2024-3660 Arbitrary code injection vulnerability in Keras framework < 2.13

A arbitrary code injection vulnerability in TensorFlow's Keras framework 2.13 allows attackers to execute arbitrary code with the same permissions as the application using a model that allow arbitrary code irrespective of the application...

CVE-2024-31457 gin-vue-admin background arbitrary code coverage vulnerability

gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. gin-vue-admin pseudoversion 0.0.0-20240407133540-7bc7c3051067, corresponding to version 2.6.1, has a code injection vulnerability in the backend. In the Plugin System - Plugi...

Grav File Upload Path Traversal

Summary Grav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files...

CVE-2024-27921

CVE-2024-27921 affects Grav CMS prior to 1.7.45. The vulnerability is a file upload path traversal in Grav’s media handling (MediaUploadTrait.php), allowing an attacker to replace or create files with extensions such as .json, .zip, .css, .gif, etc. The underlying risk includes arbitrary code exe...

CVE-2023-37518

HCL BigFix ServiceNow is vulnerable to arbitrary code injection. A malicious authorized attacker could inject arbitrary code and execute within the context of the running user...

CVE-2023-37518

CVE-2023-37518 affects HCL BigFix ServiceNow Data Flow. The vulnerability allows an authorized attacker to inject and execute arbitrary code within the running user’s context due to an arbitrary code injection in the ServiceNow Data Flow pathway. CVSS metrics in the primary entry indicate network...

WP Customer Area < 8.2.3 - Reflected Cross-Site Scripting

Description The WP Customer Area plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2023-44120

A vulnerability has been identified in Spectrum Power 7 All versions V23Q4. The affected product's sudo configuration permits the local administrative account to execute several entries as root user. This could allow an authenticated local attacker to inject arbitrary code and gain root access...

CVE-2023-44120

SIEMENS Spectrum Power 7 (all versions before V23Q4) has CVE-2023-44120: an incorrect permission assignment in the sudo configuration allows an authenticated local attacker to run entries as root, potentially injecting arbitrary code and gaining root access. Affected product: Spectrum Power 7 (SC...

Security Bulletin: IBM Storage Fusion HCI may be vulnerable to Injection, Regular Expression Denial of Service (ReDoS), and Arbitrary Code Execution and via use of postcss, semver, babel-traverse (CVE-2023-45133, CVE-2022-25883, CVE-2023-44270)

Summary JavaScript libraries postcss, semver, and babel-traverse are used by IBM Storage Fusion HCI's Web Interface. Vulnerabilities in these libraries could lead to Denial of Service and Arbitrary Code Injection as described the the CVEs listed in the "Vulnerability Details" section. Vulnerabili...

Cross site scripting

A vulnerability has been identified in Opcenter Quality All versions V2312, SIMATIC PCS neo All versions V4.1, SINEC NMS All versions V2.0 SP1, SINUMERIK Integrate RunMyHMI /Automotive All versions, Totally Integrated Automation Portal TIA Portal V14 All versions, Totally Integrated Automation...

CVE-2023-46282

A vulnerability has been identified in Opcenter Execution Foundation All versions V2407, Opcenter Quality All versions V2312, SIMATIC PCS neo All versions V4.1, SINEC NMS All versions V2.0 SP1, Totally Integrated Automation Portal TIA Portal V14 All versions, Totally Integrated Automation Portal...

tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection

Summary The tj-actions/branch-names GitHub Actions references the github.event.pullrequest.head.ref and github.headref context variables within a GitHub Actions run step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name...

CVE-2023-49291 Improper Sanitization of Branch Name Leads to Arbitrary Code Injection

tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The tj-actions/branch-names GitHub Actions improperly references the github.event.pullrequest.head.ref and github.headref context variables within a GitHub Actions run step. The head ref variab...

Arbitrary Code Injection

quartz-jobs is vulnerable to Arbitrary code injection. The vulnerability is due to lack of message validation in the SendQueueMessageJob.execute method, which can lead to remote code execution...

Input validation

Improper input validation in Dolibarr ERP CRM = v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code...