VYPR

CWE-94

Improper Control of Generation of Code ('Code Injection')

BaseDraftLikelihood: Medium

Description

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-242 · CAPEC-35 · CAPEC-77

CVEs mapped to this weakness (4,701)

page 14 of 236
  • CVE-2023-49830CriDec 29, 2023
    risk 0.64cvss 9.9epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1.

  • CVE-2023-46623CriDec 29, 2023
    risk 0.64cvss 9.9epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in TienCOP WP EXtra.This issue affects WP EXtra: from n/a through 6.2.

  • CVE-2023-32095CriDec 29, 2023
    risk 0.64cvss 9.9epss 0.01

    Improper Control of Generation of Code ('Code Injection') vulnerability in Milan Dinić Rename Media Files.This issue affects Rename Media Files: from n/a through 1.0.1.

  • CVE-2023-4994CriSep 16, 2023
    risk 0.64cvss 9.9epss 0.01

    The Allow PHP in Posts and Pages plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 3.0.4 via the 'php' shortcode. This allows authenticated attackers with subscriber-level permissions or above, to execute code on the server.

  • CVE-2018-7633CriOct 9, 2018
    risk 0.64cvss 9.8epss 0.01

    Code injection in the /ui/login form Language parameter in Epicentro E_7.3.2+ allows attackers to execute JavaScript code by making a user issue a manipulated POST request.

  • CVE-2018-18083CriOct 9, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in DuomiCMS 3.0. Remote PHP code execution is possible via the search.php searchword parameter because "eval" is used during "if" processing.

  • CVE-2015-9272CriOct 5, 2018
    risk 0.64cvss 9.8epss 0.05

    The videowhisper-video-presentation plugin 3.31.17 for WordPress allows remote attackers to execute arbitrary code because vp/vw_upload.php considers a file safe when "html" are the last four characters, as demonstrated by a .phtml file containing PHP code.

  • CVE-2018-14804CriOct 1, 2018
    risk 0.64cvss 9.8epss 0.04

    Emerson AMS Device Manager v12.0 to v13.5. A specially crafted script may be run that allows arbitrary remote code execution.

  • CVE-2018-17126CriSep 17, 2018
    risk 0.64cvss 9.8epss 0.03

    CScms 4.1 allows remote code execution, as demonstrated by 1');eval($_POST[cmd]);# in Web Name to upload\plugins\sys\Install.php.

  • CVE-2018-17036CriSep 14, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in UCMS 1.4.6 and 1.6. It allows PHP code injection during installation via the systemdomain parameter to install/index.php, as demonstrated by injecting a phpinfo() call into /inc/config.php.

  • CVE-2018-16771CriSep 10, 2018
    risk 0.64cvss 9.8epss 0.03

    Hoosk v1.7.0 allows PHP code execution via a SiteUrl that is provided during installation and mishandled in config.php.

  • CVE-2011-2767CriAug 26, 2018
    risk 0.64cvss 9.8epss 0.09

    mod_perl 2.0 through 2.0.10 allows attackers to execute arbitrary Perl code by placing it in a user-owned .htaccess file, because (contrary to the documentation) there is no configuration option that permits Perl code for the administrator's control of HTTP request processing…

  • CVE-2018-3784CriAug 17, 2018
    risk 0.64cvss 9.8epss 0.03

    A code injection in cryo 0.0.6 allows an attacker to arbitrarily execute code due to insecure implementation of deserialization.

  • CVE-2018-14579CriJul 24, 2018
    risk 0.64cvss 9.8epss 0.02

    GolemCMS through 2008-12-24, if the install/ directory remains active after an installation, allows remote attackers to execute arbitrary PHP code by inserting this code into the "Database Information" "Table prefix" form field, or obtain sensitive information via a direct…

  • CVE-2018-1999022CriJul 23, 2018
    risk 0.64cvss 9.8epss 0.02

    PEAR HTML_QuickForm version 3.2.14 contains an eval injection (CWE-95) vulnerability in HTML_QuickForm's getSubmitValue method, HTML_QuickForm's validate method, HTML_QuickForm_hierselect's _setOptions method, HTML_QuickForm_element's _findValue method, HTML_QuickForm_element's…

  • CVE-2014-2302CriJul 19, 2018
    risk 0.64cvss 9.8epss 0.05

    The installer script in webEdition CMS before 6.2.7-s1 and 6.3.x before 6.3.8-s1 allows remote attackers to conduct PHP Object Injection attacks by intercepting a request to update.webedition.org.

  • CVE-2018-14399CriJul 19, 2018
    risk 0.64cvss 9.8epss 0.01

    libs\classes\attachment.class.php in PHPCMS 9.6.0 allows remote attackers to upload and execute arbitrary PHP code via a .txt?.php#.jpg URI in the SRC attribute of an IMG element within info[content] JSON data to the index.php?m=member&c=index&a=register URI.

  • CVE-2018-3608CriJul 6, 2018
    risk 0.64cvss 9.8epss 0.03

    A vulnerability in Trend Micro Maximum Security's (Consumer) 2018 (versions 12.0.1191 and below) User-Mode Hooking (UMH) driver could allow an attacker to create a specially crafted packet that could alter a vulnerable system in such a way that malicious code could be injected…

  • CVE-2018-13043CriJul 1, 2018
    risk 0.64cvss 9.8epss 0.02

    scripts/grep-excuses.pl in Debian devscripts through 2.18.3 allows code execution through unsafe YAML loading because YAML::Syck is used without a configuration that prevents unintended blessing.

  • CVE-2018-12531CriJun 18, 2018
    risk 0.64cvss 9.8epss 0.02

    An issue was discovered in MetInfo 6.0.0. install\index.php allows remote attackers to write arbitrary PHP code into config_db.php, a different vulnerability than CVE-2018-7271.