CWE-94
Improper Control of Generation of Code ('Code Injection')
Description
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-242 · CAPEC-35 · CAPEC-77
CVEs mapped to this weakness (4,435)
page 222 of 222| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2005-0679 | 0.00 | — | 0.01 | May 2, 2005 | PHP remote file inclusion vulnerability in tell_a_friend.inc.php for Tell A Friend Script 2.7 before 20050305 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code. NOTE: it… | |||
| CVE-2005-0748 | 0.00 | — | 0.01 | Mar 10, 2005 | PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mailing list manager 1.3d allows remote attackers to execute arbitrary PHP code by modifying the absolute_path parameter to reference a URL on a remote web server that contains the code. | |||
| CVE-2005-0103 | 0.00 | — | 0.03 | Jan 24, 2005 | PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code. | |||
| CVE-2004-1419 | 0.00 | — | 0.04 | Dec 31, 2004 | PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the… | |||
| CVE-2004-2740 | 0.00 | — | 0.01 | Dec 31, 2004 | PHP remote file inclusion vulnerability in authform.inc.php in PHProjekt 4.2.3 and earlier allows remote attackers to include arbitrary PHP code via a URL in the path_pre parameter. | |||
| CVE-2003-1491 | 0.00 | — | 0.00 | Dec 31, 2003 | Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53. | |||
| CVE-2003-1253 | 0.00 | — | 0.01 | Dec 31, 2003 | PHP remote file inclusion vulnerability in Bookmark4U 1.8.3 allows remote attackers to execute arbitrary PHP code viaa URL in the prefix parameter to (1) dbase.php, (2) config.php, or (3) common.load.php. | |||
| CVE-2003-1500 | 0.00 | — | 0.04 | Dec 31, 2003 | PHP remote file inclusion vulnerability in _functions.php in cpCommerce 0.5f allows remote attackers to execute arbitrary code via the prefix parameter. | |||
| CVE-2003-0498 | 0.00 | — | 0.00 | Aug 7, 2003 | Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. | |||
| CVE-2002-2297 | 0.00 | — | 0.01 | Dec 31, 2002 | PHP remote file inclusion vulnerability in artlist.php in Thatware 0.5.2 and 0.5.3 allows remote attackers to execute arbitrary PHP code via the root_path parameter. | |||
| CVE-2002-2299 | 0.00 | — | 0.01 | Dec 31, 2002 | PHP remote file inclusion vulnerability in thatfile.php in Thatware 0.3 through 0.5.2 allows remote attackers to execute arbitrary PHP code via the root_path parameter. | |||
| CVE-2002-1753 | 0.00 | — | 0.03 | Dec 31, 2002 | csNewsPro.cgi in CGIScript.net csNews Professional (csNewsPro) allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. | |||
| CVE-2002-1752 | 0.00 | — | 0.01 | Dec 31, 2002 | csChatRBox.cgi in CGIScript.net csChat-R-Box allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. | |||
| CVE-2002-1750 | 0.00 | — | 0.01 | Dec 31, 2002 | csGuestbook.cgi in CGISCRIPT.NET csGuestbook 1.0 allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function. | |||
| CVE-1999-0509 | — | 0.00 | — | 0.02 | May 29, 1996 | Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands. |
- CVE-2005-0679May 2, 2005risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in tell_a_friend.inc.php for Tell A Friend Script 2.7 before 20050305 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code. NOTE: it…
- CVE-2005-0748Mar 10, 2005risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mailing list manager 1.3d allows remote attackers to execute arbitrary PHP code by modifying the absolute_path parameter to reference a URL on a remote web server that contains the code.
- CVE-2005-0103Jan 24, 2005risk 0.00cvss —epss 0.03
PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.
- CVE-2004-1419Dec 31, 2004risk 0.00cvss —epss 0.04
PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the…
- CVE-2004-2740Dec 31, 2004risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in authform.inc.php in PHProjekt 4.2.3 and earlier allows remote attackers to include arbitrary PHP code via a URL in the path_pre parameter.
- CVE-2003-1491Dec 31, 2003risk 0.00cvss —epss 0.00
Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53.
- CVE-2003-1253Dec 31, 2003risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in Bookmark4U 1.8.3 allows remote attackers to execute arbitrary PHP code viaa URL in the prefix parameter to (1) dbase.php, (2) config.php, or (3) common.load.php.
- CVE-2003-1500Dec 31, 2003risk 0.00cvss —epss 0.04
PHP remote file inclusion vulnerability in _functions.php in cpCommerce 0.5f allows remote attackers to execute arbitrary code via the prefix parameter.
- CVE-2003-0498Aug 7, 2003risk 0.00cvss —epss 0.00
Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges.
- CVE-2002-2297Dec 31, 2002risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in artlist.php in Thatware 0.5.2 and 0.5.3 allows remote attackers to execute arbitrary PHP code via the root_path parameter.
- CVE-2002-2299Dec 31, 2002risk 0.00cvss —epss 0.01
PHP remote file inclusion vulnerability in thatfile.php in Thatware 0.3 through 0.5.2 allows remote attackers to execute arbitrary PHP code via the root_path parameter.
- CVE-2002-1753Dec 31, 2002risk 0.00cvss —epss 0.03
csNewsPro.cgi in CGIScript.net csNews Professional (csNewsPro) allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function.
- CVE-2002-1752Dec 31, 2002risk 0.00cvss —epss 0.01
csChatRBox.cgi in CGIScript.net csChat-R-Box allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function.
- CVE-2002-1750Dec 31, 2002risk 0.00cvss —epss 0.01
csGuestbook.cgi in CGISCRIPT.NET csGuestbook 1.0 allows remote attackers to execute arbitrary Perl code via the setup parameter, which is processed by the Perl eval function.
- CVE-1999-0509May 29, 1996risk 0.00cvss —epss 0.02
Perl, sh, csh, or other shell interpreters are installed in the cgi-bin directory on a WWW site, which allows remote attackers to execute arbitrary commands.