Remote code execution

flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code...

CVE-2021-41402

flatCore-CMS v2.0.8 has a code execution vulnerability, which could let a remote malicious user execute arbitrary PHP code...

Authorization

The Member Hero WordPress plugin through 1.0.9 lacks authorization checks, and does not validate the a request parameter in an AJAX action, allowing unauthenticated users to call arbitrary PHP functions with no arguments...

Magento 2 Community Edition RCE Vulnerability

A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary P...

GHSA-969V-MWP3-4MR3 Magento 2 Community Edition RCE Vulnerability

A remote code execution vulnerability exists in Magento Open Source prior to 1.9.4.2, and Magento Commerce prior to 1.14.4.2, Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2. An authenticated user with admin privileges to create sitemaps can execute arbitrary P...

GHSA-V527-6H5R-CFG8 Magento 2 Community Edition Unsafe File Upload

A security bypass exists in Magento 2.1 prior to 2.1.18, Magento 2.2 prior to 2.2.9, Magento 2.3 prior to 2.3.2 that could be abused to execute arbitrary PHP code. An authenticated user can bypass security protections that prevent arbitrary PHP script upload via form data injection...

GHSA-54JJ-PXX2-PV8H TYPO3 doesn't properly check file extensions

The 1 file upload component and 2 File Abstraction Layer FAL in TYPO3 6.0.x before 6.0.8 and 6.1.x before 6.1.3 do not properly check file extensions, which allow remote authenticated editors to execute arbitrary PHP code by uploading a .php file...

GHSA-74QV-RV53-5WCX Yii PHP Framework arbitrary PHP scripts execution

The CDetailView widget in Yii PHP Framework 1.1.14 allows remote attackers to execute arbitrary PHP scripts via vectors related to the value property...

GHSA-PW5C-XQF2-6XC2 Doctrine Security Misconfiguration Vulnerability

Doctrine Annotations before 1.2.7, Cache before 1.3.2 and 1.4.x before 1.4.2, Common before 2.4.3 and 2.5.x before 2.5.1, ORM before 2.4.8 or 2.5.x before 2.5.1, MongoDB ODM before 1.0.2, and MongoDB ODM Bundle before 3.0.1 use world-writable permissions for cache directories, which allows local...

Slim vulnerable to PHP object injection

Middleware/SessionCookie.php in Slim before 2.6.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted session data...

GHSA-74MF-VJPG-9XH7 Slim vulnerable to PHP object injection

Middleware/SessionCookie.php in Slim before 2.6.0 allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via crafted session data...

GHSA-2R5H-6R7V-5M7C Symphony Vulnerable to PHP Code Injection via YAML Parsing

The Yaml::parse function in Symfony 2.0.x before 2.0.22 remote attackers to execute arbitrary PHP code via a PHP file, a different vulnerability than CVE-2013-1397...

Symfony Arbitrary PHP code Execution

Symfony 2.0.x before 2.0.22, 2.1.x before 2.1.7, and 2.2.x remote attackers to execute arbitrary PHP code via a serialized PHP object to the 1 Yaml::parse or 2 Yaml\Parser::parse function, a different vulnerability than CVE-2013-1348...

GHSA-5CMG-8M8P-WHMJ GeniXCMS arbitrary PHP code execution

In the Upload Modules page in GeniXCMS 1.1.4, remote authenticated users can execute arbitrary PHP code via a .php file in a ZIP archive of a module...

TYPO3 Color Picker Wizard component allows remote authenticated editors to execute arbitrary PHP code

The Color Picker Wizard component in TYPO3 4.5.0 before 4.5.34, 4.7.0 before 4.7.19, 6.0.0 before 6.0.14, and 6.1.0 before 6.1.9 allows remote authenticated editors to execute arbitrary PHP code via a serialized PHP object...

GHSA-WPWW-HX7X-XFJH phpMyAdmin PHP code injection

An issue was discovered in phpMyAdmin. A specially crafted database name could be used to run arbitrary PHP commands through the array export feature. All 4.6.x versions prior to 4.6.4, 4.4.x versions prior to 4.4.15.8, and 4.0.x versions prior to 4.0.10.17 are affected...

GHSA-69GW-V5PH-6VXQ Code Injection in baserCMS

baserCMS 3.0.14 and earlier, 4.0.5 and earlier allows an attacker to execute arbitrary PHP code on the server via unspecified vectors...

Craft CMS PHP Code Injection Vulnerability

Craft CMS 2.6.3000 allows remote attackers to execute arbitrary PHP code by using the "Assets-Upload files" screen and then the "Replace it" option, because this allows a .jpg file to have embedded PHP code, and then be renamed to a .php extension...

GHSA-RJC2-X53R-6C9R RCE in baserCMS before 4.1.4

In baserCMS before 4.1.4, lib\Baser\Model\ThemeConfig.php allows remote attackers to execute arbitrary PHP code via the admin/themeconfigs/form dataThemeConfiglogo parameter...

CVE-2022-27257

A PHP Local File Inclusion vulneraility in the default Redbasic theme for Hubzilla before version 7.2 allows remote attackers to include arbitrary php files via the schema parameter...