Filtered by CWE-94
Total 4918 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-37405 1 Rocket.chat 1 Rocket.chat 2024-11-21 N/A
Livechat messages can be leaked by combining two NoSQL injections affecting livechat:loginByToken (pre-authentication) and livechat:loadHistory.
CVE-2024-37124 2024-11-21 9.8 Critical
Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed.
CVE-2024-37109 1 Wishlistmember 1 Wishlist Member 2024-11-21 9.9 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7.
CVE-2024-37084 1 Vmware 1 Spring Cloud Data Flow 2024-11-21 9.8 Critical
In Spring Cloud Data Flow versions prior to 2.11.4,  a malicious user who has access to the Skipper server api can use a crafted upload request to write an arbitrary file to any location on the file system which could lead to compromising the server
CVE-2024-37014 1 Langflow 1 Langflow 2024-11-21 9.8 Critical
Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.
CVE-2024-36679 2024-11-21 10.0 Critical
In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. Due to a predictable token, the method `Lcp::saveTranslations()` suffer of a white writer that can inject PHP code into a PHP file.
CVE-2024-36598 1 Projectworlds 1 Life Insurance Management System 2024-11-21 8.1 High
An arbitrary file upload vulnerability in Aegon Life v1.0 allows attackers to execute arbitrary code via uploading a crafted image file.
CVE-2024-36581 1 Prototype Solution 1 Abw Badger Database 2024-11-21 7.6 High
A Prototype Pollution issue in abw badger-database 1.2.1 allows an attacker to execute arbitrary code via dist/badger-database.esm.
CVE-2024-36575 1 Notabotai 1 Getsetprop 2024-11-21 9.8 Critical
A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor.
CVE-2024-36456 1 Broadcom 1 Symantec Privileged Access Management 2024-11-21 N/A
This vulnerability allows an unauthenticated attacker to achieve remote command execution on the affected PAM system by uploading a specially crafted PAM upgrade file.
CVE-2024-36268 1 Apache 1 Inlong 2024-11-21 9.8 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. Users are advised to upgrade to Apache InLong's 1.13.0 or cherry-pick [1] to solve it. [1]  https://github.com/apache/inlong/pull/10251
CVE-2024-36120 1 Ben-sb 1 Javascript Deobfuscator 2024-11-21 8.2 High
javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature.
CVE-2024-36075 2024-11-21 6.5 Medium
The CoSoSys Endpoint Protector through 5.9.3 and Unify agent through 7.0.6 is susceptible to an arbitrary code execution vulnerability due to the way an archive obtained from the Endpoint Protector or Unify server is extracted on the endpoint. An attacker who is able to modify the archive on the server could obtain remote code execution as an administrator on an endpoint.
CVE-2024-36074 2024-11-21 7.2 High
Netwrix CoSoSys Endpoint Protector through 5.9.3 and CoSoSys Unify through 7.0.6 contain a remote code execution vulnerability in the Endpoint Protector and Unify agent in the way that the EasyLock dependency is acquired from the server. An attacker with administrative access to the Endpoint Protector or Unify server can cause a client to acquire and execute a malicious file resulting in remote code execution.
CVE-2024-35226 2024-11-21 7.3 High
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. There are no known workarounds for this vulnerability.
CVE-2024-34761 2024-11-21 8.5 High
Vulnerability discovered by executing a planned security audit. Improper Control of Generation of Code ('Code Injection') vulnerability in WPENGINE INC Advanced Custom Fields PRO allows Code Injection.This issue affects Advanced Custom Fields PRO: from n/a before 6.2.10.
CVE-2024-34405 2024-11-21 9.1 Critical
Improper deep link validation in McAfee Security: Antivirus VPN for Android before 8.3.0 could allow an attacker to launch an arbitrary URL within the app.
CVE-2024-33644 1 Wpcustomify 1 Customify Site Library 2024-11-21 9.9 Critical
Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9.
CVE-2024-33445 1 Hisiphp 1 Hisiphp 2024-11-21 9.8 Critical
An issue in hisiphp v2.0.111 allows a remote attacker to execute arbitrary code via a crafted script to the SystemPlugins::mkInfo parameter in the SystemPlugins.php component.
CVE-2024-33430 1 Stsaz 1 Phiola 2024-11-21 8.8 High
An issue in phiola/src/afilter/pcm_convert.h:513 of phiola v2.0-rc22 allows a remote attacker to execute arbitrary code via the a crafted .wav file.