Vulnerabilities (CVE)

Filtered by CWE-94
Total 3185 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2021-44529 1 Ivanti 1 Endpoint Manager Cloud Services Appliance 2024-03-26 7.5 HIGH 9.8 CRITICAL
A code injection vulnerability in the Ivanti EPM Cloud Services Appliance (CSA) allows an unauthenticated user to execute arbitrary code with limited permissions (nobody).
CVE-2024-28116 2024-03-22 N/A 8.8 HIGH
Grav is an open-source, flat-file content management system. Grav CMS prior to version 1.7.45 is vulnerable to a Server-Side Template Injection (SSTI), which allows any authenticated user (editor permissions are sufficient) to execute arbitrary code on the remote server bypassing the existing security sandbox. Version 1.7.45 contains a patch for this issue.
CVE-2024-28117 2024-03-22 N/A 8.8 HIGH
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, Grav validates accessible functions through the Utils::isDangerousFunction function, but does not impose restrictions on twig functions like twig_array_map, allowing attackers to bypass the validation and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Upgrading to patched version 1.7.45 can mitigate this issue.
CVE-2024-28119 2024-03-22 N/A 8.8 HIGH
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from grav context, an attacker can redefine the escape function and execute arbitrary commands. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a patch for this issue.
CVE-2024-28118 2024-03-22 N/A 8.8 HIGH
Grav is an open-source, flat-file content management system. Prior to version 1.7.45, due to the unrestricted access to twig extension class from Grav context, an attacker can redefine config variable. As a result, attacker can bypass a previous SSTI mitigation. Twig processing of static pages can be enabled in the front matter by any administrative user allowed to create or edit pages. As the Twig processor runs unsandboxed, this behavior can be used to gain arbitrary code execution and elevate privileges on the instance. Version 1.7.45 contains a fix for this issue.
CVE-2024-28848 2024-03-21 N/A 8.8 HIGH
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. The `‎CompiledRule::validateExpression` method evaluates an SpEL expression using an `StandardEvaluationContext`, allowing the expression to reach and interact with Java classes such as `java.lang.Runtime`, leading to Remote Code Execution. The `/api/v1/policies/validation/condition/<expression>` endpoint passes user-controlled data `CompiledRule::validateExpession` allowing authenticated (non-admin) users to execute arbitrary system commands on the underlaying operating system. In addition, there is a missing authorization check since `Authorizer.authorize()` is never called in the affected path and therefore any authenticated non-admin user is able to trigger this endpoint and evaluate arbitrary SpEL expressions leading to arbitrary command execution. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-236`. This issue may lead to Remote Code Execution and has been resolved in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-23746 2 Apple, Miro 2 Macos, Miro 2024-03-21 N/A 9.8 CRITICAL
Miro Desktop 0.8.18 on macOS allows local Electron code injection via a complex series of steps that might be usable in some environments (bypass a kTCCServiceSystemPolicyAppBundles requirement via a file copy, an app.app/Contents rename, an asar modification, and a rename back to app.app/Contents).
CVE-2024-28847 2024-03-17 N/A 8.8 HIGH
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. Similarly to the GHSL-2023-250 issue, `AlertUtil::validateExpression` is also called from `EventSubscriptionRepository.prepare()`, which can lead to Remote Code Execution. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that, even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and, therefore, after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/events/subscriptions` which gets handled by `EventSubscriptionResource.createOrUpdateEventSubscription()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query. This issue may lead to Remote Code Execution and has been addressed in version 1.2.4. Users are advised to upgrade. There are no known workarounds for this vulnerability. This issue is also tracked as `GHSL-2023-251`.
CVE-2024-28253 2024-03-17 N/A 9.4 CRITICAL
OpenMetadata is a unified platform for discovery, observability, and governance powered by a central metadata repository, in-depth lineage, and seamless team collaboration. `CompiledRule::validateExpression` is also called from `PolicyRepository.prepare`. `prepare()` is called from `EntityRepository.prepareInternal()` which, in turn, gets called from `EntityResource.createOrUpdate()`. Note that even though there is an authorization check (`authorizer.authorize()`), it gets called after `prepareInternal()` gets called and therefore after the SpEL expression has been evaluated. In order to reach this method, an attacker can send a PUT request to `/api/v1/policies` which gets handled by `PolicyResource.createOrUpdate()`. This vulnerability was discovered with the help of CodeQL's Expression language injection (Spring) query and is also tracked as `GHSL-2023-252`. This issue may lead to Remote Code Execution and has been addressed in version 1.3.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-22127 2024-03-12 N/A 9.1 CRITICAL
SAP NetWeaver Administrator AS Java (Administrator Log Viewer plug-in) - version 7.50, allows an attacker with high privileges to upload potentially dangerous files which leads to command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application.
CVE-2023-25910 1 Siemens 3 Simatic Pcs 7, Simatic S7-pm, Simatic Step 7 2024-03-12 N/A 8.8 HIGH
A vulnerability has been identified in SIMATIC PCS 7 (All versions < V9.1 SP2 UC04), SIMATIC S7-PM (All versions), SIMATIC STEP 7 V5 (All versions < V5.7). The affected product contains a database management system that could allow remote users with low privileges to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code with elevated privileges in the database management system's server.
CVE-2023-5044 1 Kubernetes 1 Ingress-nginx 2024-03-07 N/A 8.8 HIGH
Code injection via nginx.ingress.kubernetes.io/permanent-redirect annotation.
CVE-2024-0917 2024-03-07 N/A 9.4 CRITICAL
remote code execution in paddlepaddle/paddle 2.6.0
CVE-2024-1885 2024-02-29 N/A 6.3 MEDIUM
This vulnerability allows remote attackers to execute arbitrary code on the affected webOS of LG Signage.
CVE-2023-52251 1 Provectus 1 Ui 2024-02-29 N/A 8.8 HIGH
An issue discovered in provectus kafka-ui 0.4.0 through 0.7.1 allows remote attackers to execute arbitrary code via the q parameter of /api/clusters/local/topics/{topic}/messages.
CVE-2023-32095 1 Milandinic 1 Rename Media Files 2024-02-29 N/A 8.8 HIGH
Improper Control of Generation of Code ('Code Injection') vulnerability in Milan Dinić Rename Media Files.This issue affects Rename Media Files: from n/a through 1.0.1.
CVE-2020-8218 2 Ivanti, Pulsesecure 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more 2024-02-27 6.5 MEDIUM 7.2 HIGH
A code injection vulnerability exists in Pulse Connect Secure <9.1R8 that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
CVE-2020-8243 2 Ivanti, Pulsesecure 4 Connect Secure, Policy Secure, Pulse Connect Secure and 1 more 2024-02-27 6.5 MEDIUM 7.2 HIGH
A vulnerability in the Pulse Connect Secure < 9.1R8.2 admin web interface could allow an authenticated attacker to upload custom template to perform an arbitrary code execution.
CVE-2023-50379 2024-02-27 N/A N/A
Malicious code injection in Apache Ambari in prior to 2.7.8. Users are recommended to upgrade to version 2.7.8, which fixes this issue. Impact: A Cluster Operator can manipulate the request by adding a malicious code injection and gain a root over the cluster main host.
CVE-2024-0220 2024-02-22 N/A 8.3 HIGH
B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data. Missing Encryption of Sensitive Data, Cleartext Transmission of Sensitive Information, Improper Control of Generation of Code ('Code Injection'), Inadequate Encryption Strength vulnerability in B&R Industrial Automation B&R Automation Studio (Upgrade Service modules), B&R Industrial Automation Technology Guarding.This issue affects B&R Automation Studio: <4.6; Technology Guarding: <1.4.0.