CVE-2024-4181

The CVE-2024-4181 issue affects llama_index (RunGptLLM class) version 0.9.47 used by RunGpt framework to connect to LLMs. Root cause: unsafe use of eval enabling a malicious or compromised LLM hosting provider to run arbitrary commands on a client machine. Impact statements in sources indicate th...

CVE-2024-4181 Command Injection in run-llama/llama_index

A command injection vulnerability exists in the RunGptLLM class of the llamaindex library, version 0.9.47, used by the RunGpt framework from JinaAI to connect to Language Learning Models LLMs. The vulnerability arises from the improper use of the eval function, allowing a malicious or compromised...

PT-2024-29576 · Unknown · Llama Index

Name of the Vulnerable Software and Affected Versions: llama index library version 0.9.47 Description: A command injection issue exists due to the improper use of the eval function in the RunGptLLM class, allowing a malicious LLM hosting provider to execute arbitrary commands on the client's...

Code Injection

tqdm is vulnerable to Code Injection. The vulnerability is due to the handling of optional non-boolean CLI arguments such as --delim, --buf-size, --manpath which get passed through python's eval function without proper sanitization. An attacker can execute arbitrary code by injecting malicious...

CVE-2024-3271

A command injection vulnerability exists in the run-llama/llamaindex repository, specifically within the safeeval function. Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. This is achieved by...

llama-index-core Prompt Injection vulnerability leading to Arbitrary Code Execution

A vulnerability was identified in the executils class of the llamaindex package, specifically within the safeeval function, allowing for prompt injection leading to arbitrary code execution. This issue arises due to insufficient validation of input, which can be exploited to bypass method...

Unauthenticated RCE in Bricks Builder Theme

This module exploits an unauthenticated remote code execution vulnerability in the Bricks Builder Theme versions use exploit/multi/http/wpbricksbuilderrce msf exploitwpbricksbuilderrce show targets ...targets... msf exploitwpbricksbuilderrce set TARGET msf exploitwpbricksbuilderrce show options...

PT-2023-28807 · Searchor · Searchor

Name of the Vulnerable Software and Affected Versions: Searchor versions prior to 2.4.2 Description: The issue allows an attacker to execute arbitrary code via a crafted script to the eval function in Searchor's main.py file, affecting the search feature in Searchor's Command Line Interface. This...

CVE-2022-43711

Interactive Forms IAF in GX Software XperienCentral versions 10.29.1 until 10.33.0 was vulnerable to cross site scripting attacks XSS because the CSP header uses eval in the script-src...

GX Software XperienCentral 跨站脚本漏洞

GX Software XperienCentral is a CMS from GX Software. A security vulnerability exists in GX Software XperienCentral versions 10.29.1 through 10.33.0, which stems from the use of the eval function in script-src, resulting in a cross-site scripting XSS vulnerability...

PT-2023-3706 · Acme.Sh · Acme.Sh

Name of the Vulnerable Software and Affected Versions: acme.sh versions prior to 3.0.6 Description: The issue arises from insufficient input validation in the Eval function of the ACME protocol client Acme.sh, allowing a remote attacker to execute arbitrary code. This has been exploited in the wi...

PT-2023-22701 · Ebankit · Ebankit

Name of the Vulnerable Software and Affected Versions: ebankIT versions prior to 7 Description: An issue exists where Document Object Model based XSS is present within the "/Security/Transactions/Transactions.aspx" endpoint. Users can supply their own JavaScript within the...

Arbitrary Command Execution

pullit is vulnerable to Arbitrary Command Execution. The vulnerability exists in index.js due to an insecure use of the eval function which allows an attacker to inject and execute arbitrary commands...

Device Manager Express 7.8.20002.47752 SQL Injection / XSS / Code Execution / Traversal

Device Manager Express versions 7.8.20002.47752 and below suffer from code execution, command execution, cross site scripting, remote SQL injection, and traversal vulnerabilities. Product Name: Device Manager Express Vendor Homepage: https://www.audiocodes.com Software Link:...

SUSE CVE-2011-1095

locale/programs/locale.c in locale in the GNU C Library aka glibc or libc6 before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function...

Arbitrary Code Execution

paddlepaddle is vulnerable to arbitrary code execution. The vulnerability exists in the getwindow function in window.py because it calls eval on user supplied winstr which allows an attacker to inject and execute malicious codes in to the system...

UBUNTU-CVE-2022-21797

The package joblib from 0 and before 1.2.0 are vulnerable to Arbitrary Code Execution via the predispatch flag in Parallel class due to the eval statement...

React Editable Json Tree vulnerable to arbitrary code execution via function parsing

Impact Our library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function was used to execute strings that begin with "function" as Javascript. This was an oversight that unfortunately allows arbitrary code to be...

CVE-2022-36010 Arbitrary code execution via function parsing in react-editable-json-tree

This library allows strings to be parsed as functions and stored as a specialized component, JsonFunctionValue. To do this, Javascript's eval function is used to execute strings that begin with "function" as Javascript. This unfortunately could allow arbitrary code to be executed if it exists as ...

Sql injection

PrestaShop is an Open Source e-commerce platform. In versions from 1.6.0.10 and before 1.7.8.7 PrestaShop is subject to an SQL injection vulnerability which can be chained to call PHP's Eval function on attacker input. The problem is fixed in version 1.7.8.7. Users are advised to upgrade. Users...