CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (3,775)
page 149 of 189| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2005-3859 | 0.03 | — | 0.05 | Nov 29, 2005 | PHP remote file inclusion vulnerability in q-news.php in Q-News 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the id parameter. | ||
| CVE-2005-3861 | 0.03 | — | 0.03 | Nov 29, 2005 | PHP remote file inclusion vulnerability in content.php in phpGreetz 0.99 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the content parameter. | ||
| CVE-2005-1155 | 0.03 | — | 0.36 | May 2, 2005 | The favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking." | ||
| CVE-2005-0720 | 0.03 | — | 0.02 | Mar 8, 2005 | PHP remote file inclusion vulnerability in admin/header.php in PHP mcNews 1.3 allows remote attackers to execute arbitrary PHP code by modifying the skinfile parameter to reference a URL on a remote web server that contains the code. | ||
| CVE-2004-1926 | 0.03 | — | 0.04 | Apr 11, 2004 | Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation. | ||
| CVE-2003-1385 | 0.03 | — | 0.03 | Dec 31, 2003 | ipchat.php in Invision Power Board 1.1.1 allows remote attackers to execute arbitrary PHP code, if register_globals is enabled, by modifying the root_path parameter to reference a URL on a remote web server that contains the code. | ||
| CVE-2003-1410 | 0.03 | — | 0.04 | Dec 31, 2003 | PHP remote file inclusion vulnerability in email.php (aka email.php3) in Cedric Email Reader 0.2 and 0.3 allows remote attackers to execute arbitrary PHP code via the cer_skin parameter. | ||
| CVE-2003-1411 | 0.03 | — | 0.04 | Dec 31, 2003 | PHP remote file inclusion vulnerability in emailreader_execute_on_each_page.inc.php in Cedric Email Reader 0.4 allows remote attackers to execute arbitrary PHP code via the emailreader_ini parameter. | ||
| CVE-2003-1412 | 0.03 | — | 0.05 | Dec 31, 2003 | PHP remote file inclusion vulnerability in index.php for GONiCUS System Administrator (GOsa) 1.0 allows remote attackers to execute arbitrary PHP code via the plugin parameter to (1) 3fax/1blocklists/index.php; (2) 6departamentadmin/index.php, (3) 5terminals/index.php, (4) 4mailinglists/index.php, (5) 3departaments/index.php, and (6) 2groupd/index.php in 2administration/; or (7) the base parameter to include/help.php. | ||
| CVE-2003-1240 | 0.03 | — | 0.01 | Dec 31, 2003 | PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter in (1) shownews.php, (2) search.php, or (3) comments.php. | ||
| CVE-2003-1227 | 0.03 | — | 0.06 | Dec 31, 2003 | PHP remote file include vulnerability in index.php for Gallery 1.4 and 1.4-pl1, when running on Windows or in Configuration mode on Unix, allows remote attackers to inject arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. NOTE: this issue might be exploitable only during installation, or if the administrator has not run a security script after installation. | ||
| CVE-2003-1406 | 0.03 | — | 0.01 | Dec 31, 2003 | PHP remote file inclusion vulnerability in D-Forum 1.00 through 1.11 allows remote attackers to execute arbitrary PHP code via a URL in the (1) my_header parameter to header.php3 or (2) my_footer parameter to footer.php3. | ||
| CVE-2003-1459 | 0.03 | — | 0.03 | Dec 31, 2003 | Multiple PHP remote file inclusion vulnerabilities in ttCMS 2.2 and ttForum allow remote attackers to execute arbitrary PHP code via the (1) template parameter in News.php or (2) installdir parameter in install.php. | ||
| CVE-2003-1436 | 0.03 | — | 0.03 | Dec 31, 2003 | PHP remote file inclusion vulnerability in nukebrowser.php in Nukebrowser 2.1 to 2.5 allows remote attackers to execute arbitrary PHP code via the filhead parameter. | ||
| CVE-2002-2319 | 0.03 | — | 0.04 | Dec 31, 2002 | Static code injection vulnerability in users.php in MySimpleNews allows remote attackers to inject arbitrary PHP code and HTML via the (1) LOGIN, (2) DATA, and (3) MESS parameters, which are inserted into news.php3. | ||
| CVE-2002-2249 | 0.03 | — | 0.03 | Dec 31, 2002 | PHP remote file inclusion vulnerability in News Evolution 2.0 allows remote attackers to execute arbitrary PHP commands via the neurl parameter to (1) backend.php, (2) screen.php, or (3) admin/modules/comment.php. | ||
| CVE-2002-1991 | 0.03 | — | 0.05 | Dec 31, 2002 | PHP file inclusion vulnerability in osCommerce 2.1 execute arbitrary commands via the include_file parameter to include_once.php. | ||
| CVE-2002-2019 | 0.03 | — | 0.04 | Dec 31, 2002 | PHP remote file inclusion vulnerability in include_once.php in osCommerce (a.k.a. Exchange Project) 2.1 allows remote attackers to execute arbitrary PHP code via the include_file parameter. | ||
| CVE-2002-2298 | 0.03 | — | 0.03 | Dec 31, 2002 | PHP remote file inclusion vulnerability in config.php in Thatware 0.3 through 0.5.3 allows remote attackers to execute arbitrary PHP code via the root_path parameter. | ||
| CVE-2002-2287 | 0.03 | — | 0.00 | Dec 31, 2002 | PHP remote file inclusion vulnerability in quick_reply.php for phpBB Advanced Quick Reply Hack 1.0.0 and 1.1.0 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter. |
- CVE-2005-3859Nov 29, 2005risk 0.03cvss —epss 0.05
PHP remote file inclusion vulnerability in q-news.php in Q-News 2.0 allows remote attackers to execute arbitrary PHP code via a URL in the id parameter.
- CVE-2005-3861Nov 29, 2005risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in content.php in phpGreetz 0.99 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the content parameter.
- CVE-2005-1155May 2, 2005risk 0.03cvss —epss 0.36
The favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking."
- CVE-2005-0720Mar 8, 2005risk 0.03cvss —epss 0.02
PHP remote file inclusion vulnerability in admin/header.php in PHP mcNews 1.3 allows remote attackers to execute arbitrary PHP code by modifying the skinfile parameter to reference a URL on a remote web server that contains the code.
- CVE-2004-1926Apr 11, 2004risk 0.03cvss —epss 0.04
Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation.
- CVE-2003-1385Dec 31, 2003risk 0.03cvss —epss 0.03
ipchat.php in Invision Power Board 1.1.1 allows remote attackers to execute arbitrary PHP code, if register_globals is enabled, by modifying the root_path parameter to reference a URL on a remote web server that contains the code.
- CVE-2003-1410Dec 31, 2003risk 0.03cvss —epss 0.04
PHP remote file inclusion vulnerability in email.php (aka email.php3) in Cedric Email Reader 0.2 and 0.3 allows remote attackers to execute arbitrary PHP code via the cer_skin parameter.
- CVE-2003-1411Dec 31, 2003risk 0.03cvss —epss 0.04
PHP remote file inclusion vulnerability in emailreader_execute_on_each_page.inc.php in Cedric Email Reader 0.4 allows remote attackers to execute arbitrary PHP code via the emailreader_ini parameter.
- CVE-2003-1412Dec 31, 2003risk 0.03cvss —epss 0.05
PHP remote file inclusion vulnerability in index.php for GONiCUS System Administrator (GOsa) 1.0 allows remote attackers to execute arbitrary PHP code via the plugin parameter to (1) 3fax/1blocklists/index.php; (2) 6departamentadmin/index.php, (3) 5terminals/index.php, (4) 4mailinglists/index.php, (5) 3departaments/index.php, and (6) 2groupd/index.php in 2administration/; or (7) the base parameter to include/help.php.
- CVE-2003-1240Dec 31, 2003risk 0.03cvss —epss 0.01
PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter in (1) shownews.php, (2) search.php, or (3) comments.php.
- CVE-2003-1227Dec 31, 2003risk 0.03cvss —epss 0.06
PHP remote file include vulnerability in index.php for Gallery 1.4 and 1.4-pl1, when running on Windows or in Configuration mode on Unix, allows remote attackers to inject arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. NOTE: this issue might be exploitable only during installation, or if the administrator has not run a security script after installation.
- CVE-2003-1406Dec 31, 2003risk 0.03cvss —epss 0.01
PHP remote file inclusion vulnerability in D-Forum 1.00 through 1.11 allows remote attackers to execute arbitrary PHP code via a URL in the (1) my_header parameter to header.php3 or (2) my_footer parameter to footer.php3.
- CVE-2003-1459Dec 31, 2003risk 0.03cvss —epss 0.03
Multiple PHP remote file inclusion vulnerabilities in ttCMS 2.2 and ttForum allow remote attackers to execute arbitrary PHP code via the (1) template parameter in News.php or (2) installdir parameter in install.php.
- CVE-2003-1436Dec 31, 2003risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in nukebrowser.php in Nukebrowser 2.1 to 2.5 allows remote attackers to execute arbitrary PHP code via the filhead parameter.
- CVE-2002-2319Dec 31, 2002risk 0.03cvss —epss 0.04
Static code injection vulnerability in users.php in MySimpleNews allows remote attackers to inject arbitrary PHP code and HTML via the (1) LOGIN, (2) DATA, and (3) MESS parameters, which are inserted into news.php3.
- CVE-2002-2249Dec 31, 2002risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in News Evolution 2.0 allows remote attackers to execute arbitrary PHP commands via the neurl parameter to (1) backend.php, (2) screen.php, or (3) admin/modules/comment.php.
- CVE-2002-1991Dec 31, 2002risk 0.03cvss —epss 0.05
PHP file inclusion vulnerability in osCommerce 2.1 execute arbitrary commands via the include_file parameter to include_once.php.
- CVE-2002-2019Dec 31, 2002risk 0.03cvss —epss 0.04
PHP remote file inclusion vulnerability in include_once.php in osCommerce (a.k.a. Exchange Project) 2.1 allows remote attackers to execute arbitrary PHP code via the include_file parameter.
- CVE-2002-2298Dec 31, 2002risk 0.03cvss —epss 0.03
PHP remote file inclusion vulnerability in config.php in Thatware 0.3 through 0.5.3 allows remote attackers to execute arbitrary PHP code via the root_path parameter.
- CVE-2002-2287Dec 31, 2002risk 0.03cvss —epss 0.00
PHP remote file inclusion vulnerability in quick_reply.php for phpBB Advanced Quick Reply Hack 1.0.0 and 1.1.0 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter.