Adobe Campaign versions 16.4 Build 8724 and earlier have a code injection vulnerability.
setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array.
Empire CMS 7.5 allows remote attackers to execute arbitrary PHP code via the ftemp parameter in an enews=EditMemberForm action because this code is injected into a memberform.$fid.php file.
ymlref allows code injection.
A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-4786 and CVE-2011-4787.
A vulnerability was found in itsourcecode Gym Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /ajax.php?action=delete_plan. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.
The yaml_parse.load method in Pylearn2 allows code injection.
An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file.
io/mongo/parser.py in Eve (aka pyeve) before 0.7.5 allows remote attackers to execute arbitrary code via Code Injection in the where parameter.
A vulnerability was determined in Swatadru Exam-Seating-Arrangement up to 97335ccebf95468d92525f4255a2241d2b0b002f. Affected is an unknown function of the file /student.php of the component Student Login. Executing manipulation of the argument email can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.
Arbitrary Code Execution vulnerability in Micro Focus Universal CMDB, version 4.10, 4.11, 4.12. This vulnerability could be remotely exploited to allow Arbitrary Code Execution.
The management console in Symantec IM Manager before 8.4.18 allows remote attackers to execute arbitrary code via unspecified vectors, related to a "code injection issue."
Improper Control of Generation of Code ('Code Injection') vulnerability in WC Product Table WooCommerce Product Table Lite allows Code Injection.This issue affects WooCommerce Product Table Lite: from n/a through 3.5.1.
Multiple direct static code injection vulnerabilities in RunCMS before 1.6.1 allow remote authenticated administrators to inject arbitrary PHP code via the (1) header and (2) footer parameters to modules/system/admin.php in a meta-generator action, (3) the disclaimer parameter to modules/system/admin.php in a disclaimer action, (4) the disclaimer parameter to modules/mydownloads/admin/index.php in a mydownloadsConfigAdmin action, (5) the disclaimer parameter to modules/newbb_plus/admin/forum_config.php, (6) the disclaimer parameter to modules/mylinks/admin/index.php in a myLinksConfigAdmin action, or (7) the intro parameter to modules/sections/admin/index.php in a secconfig action, which inject PHP sequences into (a) sections/cache/intro.php, (b) mylinks/cache/disclaimer.php, (c) mydownloads/cache/disclaimer.php, (d) newbb_plus/cache/disclaimer.php, (e) system/cache/disclaimer.php, (f) system/cache/footer.php, (g) system/cache/header.php, or (h) system/cache/maintenance.php in modules/.
PHP remote file inclusion vulnerability in modules/webmail2/inc/rfc822.php in guanxiCRM Business Solution 0.9.1 allows remote attackers to execute arbitrary PHP code via a URL in the webmail2_inc_dir parameter.
An issue was discovered on Samsung mobile devices with M(6.0) and N(7.x) software. SVoice allows arbitrary code execution by changing dynamic libraries. The Samsung ID is SVE-2017-9299 (September 2017).
PHP remote file inclusion vulnerability in iJoomla Magazine (com_magazine) component 3.0.1 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the config parameter to magazine.functions.php.
PHP remote file inclusion vulnerability in contact/contact.php in Groone's Simple Contact Form allows remote attackers to execute arbitrary PHP code via a URL in the abspath parameter.
PHP remote file inclusion vulnerability in index.php in MailForm 1.2 allows remote attackers to execute arbitrary PHP code via a URL in the theme parameter.
PbootCMS V1.3.1 build 2018-11-14 allows remote attackers to execute arbitrary code via use of "eval" with mixed case, as demonstrated by an index.php/list/5/?current={pboot:if(evAl($_GET[a]))}1{/pboot:if}&a=phpinfo(); URI, because of an incorrect apps\home\controller\ParserController.php parserIfLabel protection mechanism.
PHP remote file inclusion vulnerability in ardeaCore/lib/core/ardeaInit.php in ardeaCore PHP Framework 2.2 allows remote attackers to execute arbitrary PHP code via a URL in the pathForArdeaCore parameter. NOTE: some of these details are obtained from third party information.
Incomplete blacklist vulnerability in the safe_url_extraclean function in ajax.php in Pandora FMS before 3.1.1 allows remote attackers to execute arbitrary PHP code by using a page parameter containing a UNC share pathname, which bypasses the check for the : (colon) character.
PHP remote file inclusion vulnerability in mod_chatting/themes/default/header.php in Family Connections Who is Chatting 2.2.3 allows remote attackers to execute arbitrary PHP code via a URL in the TMPL[path] parameter.
Multiple PHP remote file inclusion vulnerabilities in AR Web Content Manager (AWCM) 2.1 final allow remote attackers to execute arbitrary PHP code via a URL in the theme_file parameter to (1) includes/window_top.php and (2) header.php, and the (3) lang_file parameter to control/common.php.
PHP remote file inclusion vulnerability in tools/phpmailer/class.phpmailer.php in PHP Classifieds 7.3 allows remote attackers to execute arbitrary PHP code via a URL in the lang_path parameter.
Multiple PHP remote file inclusion vulnerabilities in Pecio CMS 2.0.5 allow remote attackers to execute arbitrary PHP code via a URL in the template parameter to (1) post.php, (2) article.php, (3) blog.php, or (4) home.php in pec_templates/nova-blue/.
PHP remote file inclusion vulnerability in includes/tumbnail.php in MatPo Bilder Galerie 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the config[root_ordner] parameter.
Multiple PHP remote file inclusion vulnerabilities in Seagull 0.6.7 allow remote attackers to execute arbitrary PHP code via a URL in the includeFile parameter to (1) Config/Container.php and (2) HTML/QuickForm.php in fog/lib/pear/, the (3) driverpath parameter to fog/lib/pear/DB/NestedSet.php, and the (4) path parameter to fog/lib/pear/DB/NestedSet/Output.php.
Multiple PHP remote file inclusion vulnerabilities in DiY-CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) lang parameter to modules/guestbook/blocks/control.block.php, (2) main_module parameter to index.php, and (3) getFile parameter to includes/general.functions.php.
Multiple PHP remote file inclusion vulnerabilities in Multi-lingual E-Commerce System 0.2 allow remote attackers to execute arbitrary PHP code via a URL in the include_path parameter to (1) checkout2-CYM.php, (2) checkout2-EN.php, (3) checkout2-FR.php, (4) cat-FR.php, (5) cat-EN.php, (6) cat-CYM.php, (7) checkout1-CYM.php, (8) checkout1-EN.php, (9) checkout1-FR.php, (10) prod-CYM.php, (11) prod-EN.php, and (12) prod-FR.php in inc/.
phpgwapi/js/fckeditor/editor/dialog/fck_spellerpages/spellerpages/serverscripts/spellchecker.php in EGroupware 1.4.001+.002; 1.6.001+.002 and possibly other versions before 1.6.003; and EPL 9.1 before 9.1.20100309 and 9.2 before 9.2.20100309; allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) aspell_path or (2) spellchecker_lang parameters.
PHP remote file inclusion vulnerability in index.php in Textpattern CMS 4.2.0 allows remote attackers to execute arbitrary PHP code via a URL in the inc parameter.
Unspecified vulnerability in ClamAV 0.91.1 and 0.91.2 allows remote attackers to execute arbitrary code via a crafted e-mail message. NOTE: this information is based upon a vague advisory by a vulnerability information sales organization that does not coordinate with vendors or release actionable advisories. A CVE has been assigned for tracking purposes, but duplicates with other CVEs are difficult to determine.
Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 allow remote attackers to execute arbitrary PHP code via a URL in the (1) meta or (2) phpincdir parameter, a different issue than CVE-2010-3307.
SAP MaxDB ODBC driver (all versions before 7.9.09.07) allows an attacker to inject code that can be executed by the application. An attacker could thereby control the behavior of the application.
The bbp-move-topics plugin before 1.1.6 for WordPress has code injection.
Multiple PHP remote file inclusion vulnerabilities in themes/default/index.php in Free Simple CMS 1.0 and earlier allow remote attackers to execute arbitrary PHP code via a URL in the (1) body, (2) footer, (3) header, (4) menu_left, or (5) menu_right parameter.
PHP remote file inclusion vulnerability in picturelib.php in SmartISoft phpBazar 2.1.1 allows remote attackers to execute arbitrary PHP code via a URL in the cat parameter.
PHP remote file inclusion vulnerability in _center.php in ProMan 0.1.1 and earlier allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.
PHP remote file inclusion vulnerability in banned.php in Visitor Logger allows remote attackers to execute arbitrary PHP code via a URL in the VL_include_path parameter.
Multiple PHP remote file inclusion vulnerabilities in Snipe Gallery 3.1.5 allow remote attackers to execute arbitrary PHP code via a URL in the cfg_admin_path parameter to (1) index.php, (2) view.php, (3) image.php, (4) search.php, (5) admin/index.php, (6) admin/gallery/index.php, (7) admin/gallery/view.php, (8) admin/gallery/gallery.php, (9) admin/gallery/image.php, and (10) admin/gallery/crop.php.
statics/app/index/controller/Install.php in YUNUCMS 1.1.5 (if install.lock is not present) allows remote attackers to execute arbitrary PHP code by placing this code in the index.php?s=index/install/setup2 DB_PREFIX field, which is written to database.php.
PHP remote file inclusion vulnerability in the SEF404x (com_sef) component for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig.absolute.path parameter to index.php.
A vulnerability classified as critical was found in Simple Ads Manager Plugin. This vulnerability affects unknown code. The manipulation leads to code injection. The attack can be initiated remotely.
Multiple PHP remote file inclusion vulnerabilities in ClearSite Beta 4.50, and possibly other versions, allow remote attackers to execute arbitrary PHP code via a URL in the cs_base_path parameter to (1) docs.php and (2) include/admin/device_admin.php. NOTE: the header.php vector is already covered by CVE-2009-3306. NOTE: this issue may be due to a variable extraction error.
An issue was discovered in LAOBANCMS 2.0. It allows remote attackers to execute arbitrary PHP code via the host parameter to the install/ URI.
PHP remote file inclusion vulnerability in system/application/views/public/commentform.php in EZPX Photoblog 1.2 beta allows remote attackers to execute arbitrary PHP code via a URL in the tpl_base_dir parameter.
PHP remote file inclusion vulnerability in core/include/myMailer.class.php in the Visites (com_joomla-visites) component 1.1 RC2 for Joomla! allows remote attackers to execute arbitrary PHP code via a URL in the mosConfig_absolute_path parameter.
Multiple PHP remote file inclusion vulnerabilities in Open Education System (OES) 0.1 beta allow remote attackers to execute arbitrary PHP code via a URL in the CONF_INCLUDE_PATH parameter to (1) forum/admin.php and (2) plotgraph/index.php in admin/modules/modules/, and (3) admin_user/mod_admuser.php and (4) ogroup/mod_group.php in admin/modules/user_account/, different vectors than CVE-2007-1446.
The WP Photo Album Plus plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 8.7.02.003. This is due to the plugin allowing unauthenticated users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.