CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (4,435)
page 221 of 222| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2006-0388 | 0.00 | — | 0.00 | Mar 3, 2006 | Safari in Mac OS X 10.3 before 10.3.9 and 10.4 before 10.4.5 allows remote attackers to redirect users to local files and execute arbitrary JavaScript via unspecified vectors involving HTTP redirection to local resources. | |||
| CVE-2006-0945 | 0.00 | — | 0.01 | Mar 1, 2006 | PHP remote file include vulnerability in admin/index.php in Archangel Weblog 0.90.02 allows remote authenticated administrators to execute arbitrary PHP code via a URL ending in a NULL (%00) in the index parameter. | |||
| CVE-2006-0854 | 0.00 | — | 0.02 | Feb 23, 2006 | PHP remote file inclusion vulnerability in common.php in Intensive Point iUser Ecommerce allows remote attackers to include arbitrary files via a URL in the include_path variable, which is not initialized before being used. | |||
| CVE-2006-0723 | 0.00 | — | 0.01 | Feb 16, 2006 | PHP remote file inclusion vulnerability in preview.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the php_script_path parameter. | |||
| CVE-2006-0332 | 0.00 | — | 0.01 | Jan 21, 2006 | Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments in a publicly accessible directory, which may allow remote attackers to upload arbitrary files. | |||
| CVE-2006-0236 | 0.00 | — | 0.01 | Jan 18, 2006 | GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by… | |||
| CVE-2006-0207 | 0.00 | — | 0.05 | Jan 13, 2006 | Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function. | |||
| CVE-2006-0144 | 0.00 | — | 0.01 | Jan 9, 2006 | The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function. | |||
| CVE-2006-0094 | 0.00 | — | 0.01 | Jan 5, 2006 | PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are… | |||
| CVE-2005-4874 | 0.00 | — | 0.00 | Dec 31, 2005 | The XMLHttpRequest object in Mozilla 1.7.8 supports the HTTP TRACE method, which allows remote attackers to obtain (1) proxy authentication passwords via a request with a "Max-Forwards: 0" header or (2) arbitrary local passwords on the web server that hosts this object. | |||
| CVE-2005-3835 | 0.00 | — | 0.01 | Nov 26, 2005 | PHP remote file inclusion vulnerability in support/index.php in DeskLance 2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the main parameter. | |||
| CVE-2005-3775 | 0.00 | — | 0.01 | Nov 23, 2005 | PHP remote file inclusion vulnerability in pollvote.php in PollVote allows remote attackers to include arbitrary files via a URL in the pollname parameter. | |||
| CVE-2005-3554 | 0.00 | — | 0.05 | Nov 16, 2005 | Multiple eval injection vulnerabilities in the help function in PHPKIT 1.6.1 R2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary code on the server via unknown attack vectors involving uninitialized variables. | |||
| CVE-2005-2703 | 0.00 | — | 0.05 | Sep 23, 2005 | Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies, including HTTP request smuggling and HTTP request splitting. | |||
| CVE-2005-2837 | 0.00 | — | 0.01 | Sep 7, 2005 | Multiple eval injection vulnerabilities in PlainBlack Software WebGUI before 6.7.3 allow remote attackers to execute arbitrary Perl code via (1) Help.pm, (2) International.pm, or (3) WebGUI.pm. | |||
| CVE-2005-2498 | 0.00 | — | 0.05 | Aug 15, 2005 | Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP… | |||
| CVE-2005-1527 | 0.00 | — | 0.01 | Aug 15, 2005 | Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call. | |||
| CVE-2005-1965 | 0.00 | — | 0.04 | Jun 16, 2005 | PHP remote file inclusion vulnerability in siteframe.php for Broadpool Siteframe allows remote attackers to execute arbitrary code via a URL in the LOCAL_PATH parameter. | |||
| CVE-2005-1996 | 0.00 | — | 0.01 | Jun 15, 2005 | PHP remote file inclusion vulnerability in start.php in Bitrix Site Manager 4.0.x allows remote attackers to execute arbitrary PHP code via the _SERVER[DOCUMENT_ROOT] parameter. | |||
| CVE-2005-0227 | 0.00 | — | 0.00 | May 2, 2005 | PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension. |
- CVE-2006-0388Mar 3, 2006risk 0.00cvss —epss 0.00
Safari in Mac OS X 10.3 before 10.3.9 and 10.4 before 10.4.5 allows remote attackers to redirect users to local files and execute arbitrary JavaScript via unspecified vectors involving HTTP redirection to local resources.
- CVE-2006-0945Mar 1, 2006risk 0.00cvss —epss 0.01
PHP remote file include vulnerability in admin/index.php in Archangel Weblog 0.90.02 allows remote authenticated administrators to execute arbitrary PHP code via a URL ending in a NULL (%00) in the index parameter.
- CVE-2006-0854Feb 23, 2006risk 0.00cvss —epss 0.02
PHP remote file inclusion vulnerability in common.php in Intensive Point iUser Ecommerce allows remote attackers to include arbitrary files via a URL in the include_path variable, which is not initialized before being used.
- CVE-2006-0723Feb 16, 2006risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in preview.php in Reamday Enterprises Magic News Lite 1.2.3, when register_globals is enabled, allows remote attackers to include arbitrary files via a URL in the php_script_path parameter.
- CVE-2006-0332Jan 21, 2006risk 0.00cvss —epss 0.01
Pantomime in Ecartis 1.0.0 snapshot 20050909 stores e-mail attachments in a publicly accessible directory, which may allow remote attackers to upload arbitrary files.
- CVE-2006-0236Jan 18, 2006risk 0.00cvss —epss 0.01
GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-assisted attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by…
- CVE-2006-0207Jan 13, 2006risk 0.00cvss —epss 0.05
Multiple HTTP response splitting vulnerabilities in PHP 5.1.1 allow remote attackers to inject arbitrary HTTP headers via a crafted Set-Cookie header, related to the (1) session extension (aka ext/session) and the (2) header function.
- CVE-2006-0144Jan 9, 2006risk 0.00cvss —epss 0.01
The proxy server feature in go-pear.php in PHP PEAR 0.2.2, as used in Apache2Triad, allows remote attackers to execute arbitrary PHP code by redirecting go-pear.php to a malicious proxy server that provides a modified version of Tar.php with a malicious extractModify function.
- CVE-2006-0094Jan 5, 2006risk 0.00cvss —epss 0.01
PHP remote file include vulnerability in forum.php in oaBoard 1.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc_stat parameter, a different vulnerability than CVE-2006-0076. NOTE: the provenance of this information is unknown; the details are…
- CVE-2005-4874Dec 31, 2005risk 0.00cvss —epss 0.00
The XMLHttpRequest object in Mozilla 1.7.8 supports the HTTP TRACE method, which allows remote attackers to obtain (1) proxy authentication passwords via a request with a "Max-Forwards: 0" header or (2) arbitrary local passwords on the web server that hosts this object.
- CVE-2005-3835Nov 26, 2005risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in support/index.php in DeskLance 2.3 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the main parameter.
- CVE-2005-3775Nov 23, 2005risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in pollvote.php in PollVote allows remote attackers to include arbitrary files via a URL in the pollname parameter.
- CVE-2005-3554Nov 16, 2005risk 0.00cvss —epss 0.05
Multiple eval injection vulnerabilities in the help function in PHPKIT 1.6.1 R2 and earlier, when register_globals is enabled, allow remote attackers to execute arbitrary code on the server via unknown attack vectors involving uninitialized variables.
- CVE-2005-2703Sep 23, 2005risk 0.00cvss —epss 0.05
Firefox before 1.0.7 and Mozilla Suite before 1.7.12 allows remote attackers to modify HTTP headers of XML HTTP requests via XMLHttpRequest, and possibly use the client to exploit vulnerabilities in servers or proxies, including HTTP request smuggling and HTTP request splitting.
- CVE-2005-2837Sep 7, 2005risk 0.00cvss —epss 0.01
Multiple eval injection vulnerabilities in PlainBlack Software WebGUI before 6.7.3 allow remote attackers to execute arbitrary Perl code via (1) Help.pm, (2) International.pm, or (3) WebGUI.pm.
- CVE-2005-2498Aug 15, 2005risk 0.00cvss —epss 0.05
Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP…
- CVE-2005-1527Aug 15, 2005risk 0.00cvss —epss 0.01
Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.
- CVE-2005-1965Jun 16, 2005risk 0.00cvss —epss 0.04
PHP remote file inclusion vulnerability in siteframe.php for Broadpool Siteframe allows remote attackers to execute arbitrary code via a URL in the LOCAL_PATH parameter.
- CVE-2005-1996Jun 15, 2005risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in start.php in Bitrix Site Manager 4.0.x allows remote attackers to execute arbitrary PHP code via the _SERVER[DOCUMENT_ROOT] parameter.
- CVE-2005-0227May 2, 2005risk 0.00cvss —epss 0.00
PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension.