7221 matches found
CVE-2017-11760
uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area...
Code injection
In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and .m4a in admin.php?iframe=configupload, and then using user.php/music/add/ to upload the code...
CVE-2017-11756
In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and .m4a in admin.php?iframe=configupload, and then using user.php/music/add/ to upload the code...
CVE-2017-11756
In Earcms Ear Music through 4.1 build 20170710, remote authenticated users can execute arbitrary PHP code by changing the allowable music-upload extensions to include .php in addition to .mp3 and .m4a in admin.php?iframe=configupload, and then using user.php/music/add/ to upload the code...
Code injection
job/uploadfilesave.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php...
CVE-2017-11715
job/uploadfilesave.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php...
CVE-2017-11715
job/uploadfilesave.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php...
CVE-2017-11585
CVE-2017-11585 affects dayrui FineCMS 5.0.9 with remote PHP code execution through the param parameter in an action=cache request to libraries/Template.php, described as Eval Injection. The vulnerability allows an attacker to inject and execute arbitrary PHP code on the server. Exploitation and e...
Design/Logic Flaw
phpMyBackupPro 2.5 and earlier does not properly sanitize input strings, which allows remote authenticated users to execute arbitrary PHP code by storing a crafted string in a user configuration file...
CVE-2015-3639
phpMyBackupPro 2.5 and earlier does not properly sanitize input strings, which allows remote authenticated users to execute arbitrary PHP code by storing a crafted string in a user configuration file...
CVE-2015-3638
phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configurati...
Code injection
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo input value...
CVE-2017-11167
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo input value...
CVE-2017-11167
FineCMS 2.1.0 allows remote attackers to execute arbitrary PHP code by using a URL Manager "Add Site" action to enter this code after a ', sequence in a domain name, as demonstrated by the ',phpinfo input value...
CVE-2017-10968
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "?php" in a route=template request...
CVE-2017-10968
In FineCMS through 2017-07-07, application\core\controller\template.php allows remote PHP code execution by placing the code after "?php" in a route=template request...
GShark Framework - Check all your backdoors with only one telegram account
This framework can perform web post exploitation, with this you can interact with multiple web backdoor and execute custom module, script. Check all your backdoors with only one telegram messenger account! Connect web backdoor to master server and control it with Telegram Download visual backdoor...
CVE-2017-9841
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the...
Code injection
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the...
CVE-2017-9841
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP code via HTTP POST data beginning with a "?php " substring, as demonstrated by an attack on a site with an exposed /vendor folder, i.e., external access to the...