CVE-2019-17300

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by a Developer user...

CVE-2019-17370

OTCMS v3.85 allows arbitrary PHP Code Execution because admin/sysCheckFiledeal.php blocks "into outfile" in a SELECT statement, but does not block the "into//outfile" manipulation. Therefore, the attacker can create a .php file...

CVE-2019-14252

An issue was discovered in the secure portal in Publisure 2.1.2. Once successfully authenticated as an administrator, one is able to inject arbitrary PHP code by using the adminCons.php form. The code is then stored in the E:\PUBLISURE\webservice\webpages\AdminDir\Templates\ folder even if remove...

CVE-2018-11736

An issue was discovered in Pluck before 4.7.7-dev2. /data/inc/images.php allows remote attackers to upload and execute arbitrary PHP code by using the image/jpeg content type for a .htaccess file...

CVE-2019-14788

wp-admin/admin-ajax.php?action=newslettersexportmultiple in the Tribulant Newsletters plugin before 4.6.19 for WordPress allows directory traversal with resultant remote PHP code execution via the subscribers11 parameter in conjunction with an exportfile=../ value...

CVE-2019-17307

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Tracker module by an Admin user...

CVE-2019-17308

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Emails module by a Regular user...

CVE-2019-17304

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the MergeRecords module by an Admin user...

CVE-2019-17299

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Administration module by an Admin user...

CVE-2019-16113

Bludit 3.9.2 allows remote code execution via bl-kernel/ajax/upload-images.php because PHP code can be entered with a .jpg file name, and then this PHP code can write other PHP code to a ../ pathname...

CVE-2019-10015

baigoStudio baigoSSO v3.0.1 allows remote attackers to execute arbitrary PHP code via the first form field of a configuration screen, because this code is written to the BGSITENAME field in the optbase.inc.php file...

CVE-2018-20605

imcat 4.4 allows remote attackers to execute arbitrary PHP code by using root/run/adm.php to modify the boot/bootskip.php file...

CVE-2018-18892

MiniCMS 1.10 allows execution of arbitrary PHP code via the install.php sitename parameter, which affects the sitename field in mcconf.php...

CVE-2017-1000160

EllisLab ExpressionEngine 3.4.2 is vulnerable to cross-site scripting resulting in PHP code injection...

CVE-2018-16604

An issue was discovered in Nibbleblog v4.0.5. With an admin's username and password, an attacker can execute arbitrary PHP code by changing the username because the username is surrounded by double quotes e.g., "$phpinfo"...

CVE-2015-9499

The Showbiz Pro plugin through 1.7.1 for WordPress has PHP code execution by uploading a .php file within a ZIP archive...

CVE-2012-4343

Multiple unspecified vulnerabilities in Gallery 3 before 3.0.4 allow attackers to execute arbitrary PHP code via unknown vectors...

CVE-2017-14346

upload.php in tianchoy/blog through 2017-09-12 allows unrestricted file upload and PHP code execution by using the image/jpeg, image/pjpeg, image/png, or image/gif content type for a .php file...

CVE-2013-3629

ISPConfig 3.0.5.2 has Arbitrary PHP Code Execution...

CVE-2019-17306

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows PHP code injection in the Configurator module by an Admin user...