CWE-94
Improper Control of Generation of Code ('Code Injection')
BaseDraftLikelihood: Medium
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (3,775)
page 12 of 189| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-48204 | Cri | 0.64 | 9.8 | 0.01 | Oct 25, 2024 | SQL injection vulnerability in Hanzhou Haobo network management system 1.0 allows a remote attacker to execute arbitrary code via a crafted script. | |
| CVE-2024-48514 | Cri | 0.64 | 9.8 | 0.00 | Oct 24, 2024 | php-heic-to-jpg <= 1.0.5 is vulnerable to code injection (fixed in 1.0.6). An attacker who can upload heic images is able to execute code on the remote server via the file name. As a result, the CIA is no longer guaranteed. This affects php-heic-to-jpg 1.0.5 and below. | |
| CVE-2024-21534 | Cri | 0.64 | 9.8 | 0.93 | Oct 11, 2024 | All versions of the package jsonpath-plus are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** There were several attempts to fix it in versions [10.0.0-10.1.0](https://github.com/JSONPath-Plus/JSONPath/compare/v9.0.0...v10.1.0) but it could still be exploited using [different payloads](https://github.com/JSONPath-Plus/JSONPath/issues/226). | |
| CVE-2024-45874 | Cri | 0.64 | 9.8 | 0.00 | Oct 7, 2024 | A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. | |
| CVE-2024-45873 | Cri | 0.64 | 9.8 | 0.01 | Oct 7, 2024 | A DLL hijacking vulnerability in VegaBird Yaazhini 2.0.2 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Yaazhini.exe. | |
| CVE-2024-45186 | Cri | 0.64 | 9.8 | 0.00 | Oct 2, 2024 | FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials. | |
| CVE-2024-35515 | Cri | 0.64 | 9.8 | 0.01 | Sep 18, 2024 | Insecure deserialization in sqlitedict up to v2.1.0 allows attackers to execute arbitrary code. | |
| CVE-2024-45798 | Cri | 0.64 | 9.9 | 0.00 | Sep 17, 2024 | arduino-esp32 is an Arduino core for the ESP32, ESP32-S2, ESP32-S3, ESP32-C3, ESP32-C6 and ESP32-H2 microcontrollers. The `arduino-esp32` CI is vulnerable to multiple Poisoned Pipeline Execution (PPE) vulnerabilities. Code injection in `tests_results.yml` workflow (`GHSL-2024-169`) and environment Variable injection (`GHSL-2024-170`). These issue have been addressed but users are advised to verify the contents of the downloaded artifacts. | |
| CVE-2024-45623 | Cri | 0.64 | 9.8 | 0.01 | Sep 2, 2024 | D-Link DAP-2310 Hardware A Firmware 1.16RC028 allows remote attackers to execute arbitrary code via a stack-based buffer overflow in the ATP binary that handles PHP HTTP GET requests for the Apache HTTP Server (httpd). NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | |
| CVE-2024-21552 | Cri | 0.64 | 9.8 | 0.00 | Jul 22, 2024 | All versions of `SuperAGI` are vulnerable to Arbitrary Code Execution due to unsafe use of the ‘eval’ function. An attacker could induce the LLM output to exploit this vulnerability and gain arbitrary code execution on the SuperAGI application server. | |
| CVE-2024-25077 | Cri | 0.64 | 9.8 | 0.00 | Jul 10, 2024 | An issue was discovered on Renesas SmartBond DA14691, DA14695, DA14697, and DA14699 devices. The Nonce used for on-the-fly decryption of flash images is stored in an unsigned header, allowing its value to be modified without invalidating the signature used for secureboot image verification. Because the encryption engine for on-the-fly decryption uses AES in CTR mode without authentication, an attacker-modified Nonce can result in execution of arbitrary code. | |
| CVE-2024-39071 | Cri | 0.64 | 9.8 | 0.00 | Jul 9, 2024 | Fujian Kelixun <=7.6.6.4391 is vulnerable to SQL Injection in send_event.php. | |
| CVE-2024-39165 | Cri | 0.64 | 9.8 | 0.04 | Jul 4, 2024 | QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. | |
| CVE-2024-39017 | Cri | 0.64 | 9.8 | 0.00 | Jul 1, 2024 | agreejs shared v0.0.1 was discovered to contain a prototype pollution via the function mergeInternalComponents. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |
| CVE-2024-39015 | Cri | 0.64 | 9.8 | 0.00 | Jul 1, 2024 | cafebazaar hod v0.4.14 was discovered to contain a prototype pollution via the function request. This vulnerability allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via injecting arbitrary properties. | |
| CVE-2024-5826 | Cri | 0.64 | 9.8 | 0.07 | Jun 27, 2024 | In the latest version of vanna-ai/vanna, the `vanna.ask` function is vulnerable to remote code execution due to prompt injection. The root cause is the lack of a sandbox when executing LLM-generated code, allowing an attacker to manipulate the code executed by the `exec` function in `src/vanna/base/base.py`. This vulnerability can be exploited by an attacker to achieve remote code execution on the app backend server, potentially gaining full control of the server. | |
| CVE-2024-39669 | Cri | 0.64 | 9.8 | 0.00 | Jun 27, 2024 | In the Console in Soffid IAM before 3.5.39, necessary checks were not applied to some Java objects. A malicious agent could possibly execute arbitrary code in the Sync Server and compromise security. | |
| CVE-2024-5683 | Cri | 0.64 | 9.8 | 0.00 | Jun 24, 2024 | Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. | |
| CVE-2024-37124 | Cri | 0.64 | 9.8 | 0.00 | Jun 19, 2024 | Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed. | |
| CVE-2024-36575 | Cri | 0.64 | 9.8 | 0.00 | Jun 17, 2024 | A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor. |