CVE-2019-5009

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "" tags, as demonstrated by a CompanyDetailsSave action...

CVE-2019-5009

Vtiger CRM 7.1.0 before Hotfix2 contains a file-upload vulnerability in the logo field: an uploaded PNG image of 150x40 with an extension allowed as php3 can carry PHP code, bypassing the extension filter and enabling code execution via the image (e.g., using PHP tags). Affected files/documented ...

CVE-2019-5009

Vtiger CRM 7.1.0 before Hotfix2 allows uploading files with the extension "php3" in the logo upload field, if the uploaded file is in PNG format and has a size of 150x40. One can put PHP code into the image; PHP code can be executed using "" tags, as demonstrated by a CompanyDetailsSave action...

SugarCRM Web Logic Hooks Module PHP Code Injection Vulnerability

SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a PHP code injection vulnerability. User input passed through the "triggerevent" parameter is not properly sanitized before being used to save PHP code into the 'logichooks.php' file through the Web Logic Hooks module. This can be...

SugarCRM Web Logic Hooks Module Path Traversal Vulnerability

SugarCRM versions prior to 7.9.5.0, 8.0.2, and 8.2.0 suffer from a path traversal vulnerability. User input passed through the "webhooktargetmodule" parameter is not properly sanitized before being used to save PHP code into the hooks file through the Web Logic Hooks module. This can be exploited...

SugarCRM WorkFlow PHP Code Injection Vulnerability

SugarCRM versions prior to 7.9.4.0 and 7.11.0.0 suffer from a PHP code injection vulnerability in the WorkFlow module. User input passed through the $POST'basemodule' parameter to the "Save" action of the WorkFlow module is not properly sanitized before being used to write data into the...

SugarCRM (WorkFlow module) PHP Code Injection Vulnerability

SugarCRM is an open source Customer Relationship Management CRM system from SugarCRM USA. The system supports differentiated marketing, management and distribution of sales leads for different customer needs, and enables information sharing and tracking of sales representatives. A PHP code...

SugarCRM WorkFlow PHP Code Injection

----------------------------------------------------------- SugarCRM WorkFlow module PHP Code Injection Vulnerability ----------------------------------------------------------- - Software Link: http://www.sugarcrm.com - Affected Versions: All versions prior to 7.9.4.0 and 7.11.0.0. - Vulnerabili...

CVE-2018-20599

UCMS 1.4.7 allows remote attackers to execute arbitrary PHP code by entering this code during an index.php sadminfileedit action...

Code injection

imcat 4.4 allows remote attackers to execute arbitrary PHP code by using root/run/adm.php to modify the boot/bootskip.php file...

CVE-2018-20599

UCMS 1.4.7 allows remote attackers to execute arbitrary PHP code by entering this code during an index.php sadminfileedit action...

CVE-2018-20129: DedeCMS V5. 7 SP2 front Desk file upload getshell vulnerability alerts-a vulnerability alert-the black bar safety net

2018-12-11 in CVE Chinese application station published a DEDECMS 5.7 SP2 is the latest version there is a file upload vulnerability, with administrator privileges can exploit this vulnerability to upload and getshell execute arbitrary PHP code. After analysis and verification. The vulnerability...

CVE-2018-1000811

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code...

CVE-2018-1000811

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code...

CVE-2018-1000811

bludit version 3.0.0 contains a Unrestricted Upload of File with Dangerous Type vulnerability in Content Upload in Pages Editor that can result in Remote Command Execution. This attack appear to be exploitable via malicious user have to upload a crafted payload containing PHP code...

Code injection

Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file...

CVE-2018-20300

Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file...

CVE-2018-20300

Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file...

CVE-2018-20156

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network...

CVE-2018-20156

The WP Maintenance Mode plugin before 2.0.7 for WordPress allows remote authenticated "site administrator" users to execute arbitrary PHP code throughout a multisite network...