CVE-2020-7672

CVE-2020-7672 affects the mosc package (mosc through 1.0.0). The vulnerability lies in user input passed to the properties argument, which is executed via eval, leading to arbitrary code execution. In practice, a crafted input can cause code execution in impacted environments (SNYK provides a Pro...

CVE-2020-7675

cd-messenger through 2.7.26 is vulnerable to Arbitrary Code Execution. User input provided to the color argument executed by the eval function resulting in code execution...

CVE-2020-7673

node-extend through 0.2.0 is vulnerable to Arbitrary Code Execution. User input provided to the argument A of extend functionA,B,as,isAargs located within lib/extend.js is executed by the eval function, resulting in code execution...

Arbitrary Code Execution

Overview node-extend is an extend for node.js. Affected versions of this package are vulnerable to Arbitrary Code Execution. User input provided to the argument A of extend functionA,B,as,isAargs located within lib/extend.js is executed by the eval function, resulting in code execution. PoC var...

Arbitrary Code Execution

Overview access-policy is a package that encodes and decodes policy JSON files for use with web applications. Affected versions of this package are vulnerable to Arbitrary Code Execution. User input provided to the template function is executed by the eval function resulting in code execution. Po...

Urban Dictionary: DOM XSS through ads

Multiple ads hosted on www.urbandictionary.com make the www.urbandictionary.com origin vulnerable to DOM XSS. Attached is an image of alertdocument.domain executing. The injection works in Firefox and Chrome. Visiting the following URL will probably cause an alert box displaying the document.doma...

MCIR

This is a collection of intentionally vulnerable applications for testing code injection vulnerabilities. The applications are designed to be used in a trusted web environment and should not be published on a production server or exposed to the internet. The applications include: CryptOMG: A...

CVE-2020-10176

ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43p1 devices allow Eval Injection of commands...

Sql injection

ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43p1 devices allow Eval Injection of commands...

CVE-2020-10176

CVE-2020-10176 affects ASSA ABLOY Yale WIPC-301W devices in the 2.x.2.29–2.x.2.43_p1 range. The issue is described as an evaluation (eval) injection that enables remote command execution through the device’s HTTP API. The NVD entry notes high-severity impact with network attack vector and no user...

CVE-2020-10176

ASSA ABLOY Yale WIPC-301W 2.x.2.29 through 2.x.2.43p1 devices allow Eval Injection of commands...

PT-2020-11957 · Assa Abloy · Assa Abloy Yale Wipc-301W

Name of the Vulnerable Software and Affected Versions: ASSA ABLOY Yale WIPC-301W versions 2.x.2.29 through 2.x.2.43 p1 Description: The issue allows Eval Injection of commands. Recommendations: For versions 2.x.2.29 through 2.x.2.43 p1, consider disabling the eval function as a temporary workarou...

GHSA-RC77-XXQ6-4MFF Command Injection in hot-formula-parser

Versions of hot-formula-parser prior to 3.0.1 are vulnerable to Command Injection. The package fails to sanitize values passed to the parse function and concatenates it in an eval call. If a value of the formula is supplied by user-controlled input it may allow attackers to run arbitrary commands...

Huawei EulerOS: Security Advisory for perl (EulerOS-SA-2020-1527)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-10948

Jon Hedley AlienForm2 typically installed as af.cgi or alienform.cgi 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests...

Design/Logic Flaw

Jon Hedley AlienForm2 typically installed as af.cgi or alienform.cgi 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests...

CVE-2020-10948

The CVE-2020-10948 entry concerns Jon Hedley’s AlienForm2 (AlienForm CGI, typically af.cgi or alienform.cgi) v2.0.2, which is vulnerable to Remote Command Execution via eval injection. The vulnerability is unauthenticated and exploitable by remote attackers through crafted requests; this is descr...

CVE-2020-10948

Jon Hedley AlienForm2 typically installed as af.cgi or alienform.cgi 2.0.2 is vulnerable to Remote Command Execution via eval injection, a different issue than CVE-2002-0934. An unauthenticated, remote attacker can exploit this via a series of crafted requests...

Product Lister for Walmart <= 1.0.0 - Unauthenticated RCE via Outdated PHPUnit

The plugin uses an outdated PHPUnit library, which is known to be affected by an unauthenticated RCE issue. February 28th, 2020 - Ticket sent to vendor via https://support.cedcommerce.com/open.php March 6th, 2020 - Update requested to vendor also realised that the ticket was closed w/o reason giv...

CVE-2020-6650

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call e.g.”eval” in “Update Manager” class when software attempts to see if there are updates...