Drupal core - Highly critical - Remote Code Execution

Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core...

Drupal RCE Vulnerability (SA-CORE-2019-003) - Windows

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

Drupal RCE Vulnerability (SA-CORE-2019-003) - Linux

Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders...

drupal -- Drupal core - Highly critical - Remote Code Execution

Drupal Security Team Some field types do not properly sanitize data from non-form sources. This can lead to arbitrary PHP code execution in some cases...

CVE-2019-8908

An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting - Mailbox configuration - Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header...

Design/Logic Flaw

An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting - Mailbox configuration - Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header...

CVE-2019-8908

An issue was discovered in WTCMS 1.0. It allows remote attackers to execute arbitrary PHP code by going to the "Setting - Mailbox configuration - Registration email template" screen, and uploading an image file, as demonstrated by a .php filename and the "Content-Type: image/gif" header...

CVE-2019-8908

CVE-2019-8908 affects WTCMS 1.0. An arbitrary PHP code execution is possible by visiting Settings → Mailbox configuration → Registration email template and uploading an image file, demonstrated with a .php filename and the Content-Type: image/gif header. The issue is triggered through the image u...

Design/Logic Flaw

taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...

Design/Logic Flaw

Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request...

CVE-2019-7718

An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=?php and admin/databack/bakuptables.php?2=fileputcontents URIs because...

CVE-2019-7720

taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...

CVE-2019-7718

An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=?php and admin/databack/bakuptables.php?2=fileputcontents URIs because...

Race condition

An issue was discovered in Metinfo 6.x. An attacker can leverage a race condition in the backend database backup function to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=?php and admin/databack/bakuptables.php?2=fileputcontents URIs because...

CVE-2019-7720

taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...

CVE-2019-7719

Nibbleblog 4.0.5 allows eval injection by placing PHP code in the install.php username parameter and then making a content/private/shadow.php request...

CVE-2019-7718

MetInfo 6.x contains a race condition in the backend database backup function. The issue allows an attacker to execute arbitrary PHP code via admin/index.php?n=databack&c=index&a=dogetsql&tables=

CVE-2019-7720

taocms through 2014-05-24 allows eval injection by placing PHP code in the install.php dbname parameter and then making a config.php request...

CVE-2019-7720

The CVE-2019-7720 entry applies to TaoCMS, describing an eval-injection flaw in which PHP code can be placed in the install.php db_name parameter and then triggered via a config.php request. Red Hat and other sources corroborate the same issue, indicating the root cause is eval injection leading ...

CVE-2018-20775

admin/?/plugin/filemanager in Frog CMS 0.9.5 allows PHP code execution by creating a new .php file containing PHP code, and then visiting this file under the public/ URI...