Vulnerabilities > Improper Control of Generation of Code ('Code Injection')
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-07-31 | CVE-2017-11760 | Code Injection vulnerability in Projeqtor uploadImage.php in ProjeQtOr before 6.3.2 allows remote authenticated users to execute arbitrary PHP code by uploading a .php file composed of concatenated image data and script data, as demonstrated by uploading as an image within the description text area. | 8.8 |
| 2017-07-28 | CVE-2017-11715 | Code Injection vulnerability in Metinfo Project Metinfo job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php. | 9.8 |
| 2017-07-27 | CVE-2017-11675 | Code Injection vulnerability in Zen-Cart ZEN Cart 1.5.5E The traverseStrictSanitize function in admin_dir/includes/classes/AdminRequestSanitizer.php in ZenCart 1.5.5e mishandles key strings, which allows remote authenticated users to execute arbitrary PHP code by placing that code into an invalid array index of the admin_name array parameter to admin_dir/login.php, if there is an export of an error-log entry for that invalid array index. | 8.8 |
| 2017-07-25 | CVE-2017-11459 | Code Injection vulnerability in SAP Trex 7.10 SAP TREX 7.10 allows remote attackers to (1) read arbitrary files via an fget command or (2) write to arbitrary files and consequently execute arbitrary code via an fdir command, aka SAP Security Note 2419592. | 9.8 |
| 2017-07-24 | CVE-2017-11585 | Code Injection vulnerability in Finecms 5.0.9 dayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection. | 9.8 |
| 2017-07-21 | CVE-2015-3640 | Code Injection vulnerability in PHPmybackuppro phpMyBackupPro 2.5 and earlier does not properly escape the "." character in request parameters, which allows remote authenticated users with knowledge of a web-accessible and web-writeable directory on the target system to inject and execute arbitrary PHP scripts by injecting scripts via the path, filename, and dirs parameters to scheduled.php, and making requests to injected scripts. | 7.5 |
| 2017-07-21 | CVE-2015-3638 | Code Injection vulnerability in PHPmybackuppro phpMyBackupPro before 2.5 does not validate integer input, which allows remote authenticated users to execute arbitrary PHP code by injecting scripts via the path, filename, and period parameters to scheduled.php, and making requests to injected scripts, or by injecting PHP into a PHP configuration variable via a PHP variable variable. | 8.8 |
| 2017-07-20 | CVE-2017-9822 | Code Injection vulnerability in Dnnsoftware Dotnetnuke DNN (aka DotNetNuke) before 9.1.1 has Remote Code Execution via a cookie, aka "2017-08 (Critical) Possible remote code execution on DNN sites." | 8.8 |
| 2017-07-18 | CVE-2017-11421 | Code Injection vulnerability in Gnome-Exe-Thumbnailer Project Gnome-Exe-Thumbnailer 0.9.4 gnome-exe-thumbnailer before 0.9.5 is prone to a VBScript Injection when generating thumbnails for MSI files, aka the "Bad Taste" issue. | 7.8 |
| 2017-07-17 | CVE-2015-0249 | Code Injection vulnerability in Apache Roller 5.1.0/5.1.1 The weblog page template in Apache Roller 5.1 through 5.1.1 allows remote authenticated users with admin privileges for a weblog to execute arbitrary Java code via crafted Velocity Text Language (aka VTL). | 7.2 |