7207 matches found
CVE-2019-9002
An issue was discovered in Tiny Issue 1.3.1 and pixeline Bugs through 1.3.2c. install/config-setup.php allows remote attackers to execute arbitrary PHP code via the databasehost parameter if the installer remains present in its original directory after installation is completed...
CVE-2019-6340
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core...
Highly Critical Drupal CMS Flaw Affects Millions of Websites
The Drupal open-source content management system platform has issued an advisory for a highly critical remote-code execution RCE flaw in the Drupal core. The vulnerability CVE-2019-6340 arises from the fact that “some field types do not properly sanitize data from non-form sources,” according to...
Another Critical Flaw in Drupal Discovered — Update Your Site ASAP!
Developers of Drupal—a popular open-source content management system software that powers millions of websites—have released the latest version of their software to patch a critical vulnerability that could allow remote attackers to hack your site. The update came two days after the Drupal securi...
Drupal core - Highly critical - Remote Code Execution
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core...
Drupal RCE Vulnerability (SA-CORE-2019-003) - Windows
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...
Drupal RCE Vulnerability (SA-CORE-2019-003) - Linux
Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...
drupal -- Drupal core - Highly critical - Remote Code Execution
Drupal Security Team Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases...
CVE-2019-8908
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting - Mailbox configuration - Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header...
Design/Logic Flaw
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting - Mailbox configuration - Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header...
CVE-2019-8908
CVE-2019-8908 affects WTCMS 1.0. An arbitrary PHP code execution is possible by visiting Settings → Mailbox configuration → Registration email template and uploading an image file, demonstrated with a .php filename and the Content-Type: image/gif header. The issue is triggered through the image u...
CVE-2019-8908
An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting - Mailbox configuration - Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header...
Design/Logic Flaw
Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request...
CVE-2019-7718
An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=?php and admin/databack/bakuptables.php?2=fileputcontents URIs because...
Design/Logic Flaw
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...
CVE-2019-7720
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...
CVE-2019-7720
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...
Race condition
An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=?php and admin/databack/bakuptables.php?2=fileputcontents URIs because...
CVE-2019-7718
An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=?php and admin/databack/bakuptables.php?2=fileputcontents URIs because...
CVE-2019-7720
taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...