Vulnerabilities > Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

DATE CVE VULNERABILITY TITLE RISK
2017-02-01 CVE-2017-5630 Injection vulnerability in PHP Pear 1.10.1
PECL in the download utility class in the Installer in PEAR Base System v1.10.1 does not validate file types and filenames after a redirect, which allows remote HTTP servers to overwrite files via crafted responses, as demonstrated by a .htaccess overwrite.
network
low complexity
php CWE-74
7.5
2017-01-30 CVE-2015-2180 Injection vulnerability in Roundcube Webmail
The DBMail driver in the Password plugin in Roundcube before 1.1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the password.
network
low complexity
roundcube CWE-74
8.8
2017-01-23 CVE-2016-4010 Injection vulnerability in Magento
Magento CE and EE before 2.0.6 allows remote attackers to conduct PHP objection injection attacks and execute arbitrary PHP code via crafted serialized shopping cart data.
network
low complexity
magento CWE-74
critical
9.8
2017-01-20 CVE-2016-5013 Injection vulnerability in Moodle
In Moodle 2.x and 3.x, text injection can occur in email headers, potentially leading to outbound spam.
network
low complexity
moodle CWE-74
5.4
2017-01-12 CVE-2016-10131 Injection vulnerability in Codeigniter
system/libraries/Email.php in CodeIgniter before 3.1.3 allows remote attackers to execute arbitrary code by leveraging control over the email->from field to insert sendmail command-line arguments.
network
low complexity
codeigniter CWE-74
critical
9.8
2016-12-14 CVE-2016-6473 Injection vulnerability in Cisco IOS
A vulnerability in Cisco IOS on Catalyst Switches and Nexus 9300 Series Switches could allow an unauthenticated, adjacent attacker to cause a Layer 2 network storm.
low complexity
cisco CWE-74
6.5
2016-12-10 CVE-2016-9832 Injection vulnerability in PWC Ace-Advanced Business Application Programming 8.10.304
PricewaterhouseCoopers (PwC) ACE-ABAP 8.10.304 for SAP Security allows remote authenticated users to conduct ABAP injection attacks and execute arbitrary code via (1) SAPGUI or (2) Internet Communication Framework (ICF) over HTTP or HTTPS, as demonstrated by WEBGUI or Report.
network
low complexity
pwc CWE-74
critical
9.9
2016-11-29 CVE-2016-5685 Injection vulnerability in Dell Idrac7 Firmware and Idrac8 Firmware
Dell iDRAC7 and iDRAC8 devices with firmware before 2.40.40.40 allow authenticated users to gain Bash shell access through a string injection.
network
low complexity
dell CWE-74
8.8
2016-11-25 CVE-2016-6754 Injection vulnerability in Google Android
A remote code execution vulnerability in Webview in Android 5.0.x before 5.0.2, 5.1.x before 5.1.1, and 6.x before 2016-11-05 could enable a remote attacker to execute arbitrary code when the user is navigating to a website.
network
low complexity
google CWE-74
8.8
2016-09-12 CVE-2016-7125 Injection vulnerability in PHP
ext/session/session.c in PHP before 5.6.25 and 7.x before 7.0.10 skips invalid session names in a way that triggers incorrect parsing, which allows remote attackers to inject arbitrary-type session data by leveraging control of a session name, as demonstrated by object injection.
network
low complexity
php CWE-74
7.5