CWE-20

An issue was discovered in Froxlor before 0.10.14. Remote attackers with access to the installation routine could have executed arbitrary code via the database configuration options that were passed unescaped to exec, because of _backupExistingDatabase in…

An issue was discovered in Froxlor before 0.10.14. It created files with static names in /tmp during installation if the installation directory was not writable. This allowed local attackers to cause DoS or disclose information out of the config files, because of…

Reactor Netty HttpServer, versions 0.9.3 and 0.9.4, is exposed to a URISyntaxException that causes the connection to be closed prematurely instead of producing a 400 response.

Lack of input validation in pdf-image npm package version <= 2.0.0 may allow an attacker to run arbitrary code if PDF file path is constructed based on untrusted user input.

uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by…

The Moped::BSON::ObjecId.legal? method in rubygem-moped before commit dd5a7c14b5d2e466f7875d079af71ad19774609b allows remote attackers to cause a denial of service (worker resource consumption) or perform a cross-site scripting (XSS) attack via a crafted string.

The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

taffydb npm module, vulnerable in all versions up to and including 2.7.3, allows attackers to forge adding additional properties into user-input processed by taffy which can allow access to any data items in the DB. taffy sets an internal index for each data item in its DB.…

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

Ruby PDFKit gem prior to 0.5.3 has a Code Execution Vulnerability

network-manager through 1.0.2 allows remote attackers to execute arbitrary commands via the "execSync()" argument.

Flaw in input validation in npm package klona version 1.1.0 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using klona.

Insufficient validation and sanitization of user input exists in url-parse npm package version 1.4.4 and earlier may allow attacker to bypass security checks.

Grin through 2.1.1 has Insufficient Validation.

The papercrop gem before 0.3.0 for Ruby on Rails does not properly handle crop input.

The create function in app/code/core/Mage/Catalog/Model/Product/Api/V2.php in Magento Community Edition (CE) before 1.9.2.1 and Enterprise Edition (EE) before 1.14.2.1, when used with PHP before 5.4.24 or 5.5.8, allows remote authenticated users to execute arbitrary PHP code via…

Versions < 1.5 of the Kubernetes ingress default backend, which handles invalid ingress traffic, exposed prometheus metrics publicly.

A remote code execution issue was discovered in HashBrown CMS through 1.3.3. Server/Entity/Deployer/GitDeployer.js has a Service.AppService.exec call that mishandles the URL, repository, username, and password.

Pebble Templates 3.1.2 allows attackers to bypass a protection mechanism (intended to block access to instances of java.lang.Class) because getClass is accessible via the public static java.lang.Class java.lang.Class.forName(java.lang.Module,java.lang.String) signature.