2552 matches found
Authentication flaw
In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access administrative functions of the site to upload a crafted CSV file with a malicious payload that becomes part of a PHP eval...
Social Warfare <= 3.5.2 - Unauthenticated Arbitrary Settings Update
Malicious eval is being inserted into the wpoptions table, in the optionname: socialwafaresettings, in the Twitter field. When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval is still in t...
Prototype Pollution
safer-eval is vulnerable to prototype pollution. A lack of validation allows an attacker to inject arbitrary objects using Object.constructor to execute arbitrary code...
CVE-2018-19514
CVE-2018-19514 affects Webgalamb up to version 7.0 and enables remote arbitrary code execution. An authentication bypass is required to access admin features to upload a crafted CSV payload that becomes part of a PHP eval() expression in subscriber.php. The connected records corroborate this desc...
CVE-2018-19514
In Webgalamb through 7.0, an arbitrary code execution vulnerability could be exploited remotely without authentication. Exploitation requires authentication bypass to access administrative functions of the site to upload a crafted CSV file with a malicious payload that becomes part of a PHP eval...
Sandbox Breakout / Arbitrary Code Execution
Overview Versions of safer-eval before 1.3.2 are vulnerable to Sandbox Escape leading to Remote Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. Recommendation Upgrade to version 1.3.2. References GitHub Advisory...
@pl-test/c (>=1.1.0 <=1.1.1), @pl-test/e (=1.1.0) potentially affected by CVE-2019-10760 via safer-eval (=1.2.3)
safer-eval NPM version =1.2.3 is affected by a known vulnerability. The following packages have a transitive dependency on safer-eval and may be impacted: - @pl-test/c =1.1.0, =1.1.1 - @pl-test/e =1.1.0 Source cves: CVE-2019-10760 Source advisory: SNYK:JS-SAFEREVAL-473029...
Arbitrary Code Execution
Overview safer-eval is a safer approach for eval in node and browser. Affected versions of this package are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code. Remediation Upgrade safer-eval to version 1.3.2 or higher...
CVE-2019-9115
In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage...
CVE-2019-9115
In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage...
Code injection
In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage...
CVE-2019-9115
In irisnet-crypto before 1.1.7 for IRISnet, the util/utils.js file allows code execution because of unsafe eval usage...
CVE-2019-9115
irisnet-crypto before 1.1.7 for IRISnet contains unsafe eval usage in util/utils.js, enabling remote code execution (RCE). This is confirmed by multiple sources (GHSA-5FH8-X9XC-HXMC, OSV) and aligns with CVE-2019-9115 severity (NVD: high/critical). Mitigation: upgrade to version 1.1.7 or later; n...
Arbitrary Code Execution
static-eval is vulnerable to arbitrary code execution. The vulnerability is possible because there is no protection by sandbox isolated process, allowing the user to input malicious code through it...
Design/Logic Flaw
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request...
CVE-2019-7719
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request...
Design/Logic Flaw
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...
CVE-2019-7720
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...
CVE-2019-7719
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request...
CVE-2019-7720
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...