An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. A specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
Max CVSS
10.0
EPSS Score
0.17%
Published
2019-10-31
Updated
2022-06-27
Tiki Wiki CMS Groupware 5.2 has Local File Inclusion
Max CVSS
9.8
EPSS Score
4.03%
Published
2019-10-28
Updated
2019-10-29
A file inclusion vulnerability exists in the confd.exe module in Honeywell Experion PKS R40x before R400.6, R41x before R410.6, and R43x before R430.2, which could lead to accepting an arbitrary file into the function, and potential information disclosure or remote code execution. Honeywell strongly encourages and recommends all customers running unsupported versions of EKPS prior to R400 to upgrade to a supported version.
Max CVSS
9.8
EPSS Score
0.46%
Published
2019-04-08
Updated
2019-10-09
The memphis-documents-library plugin before 3.0 for WordPress has Remote File Inclusion.
Max CVSS
9.8
EPSS Score
0.45%
Published
2019-08-22
Updated
2019-08-26
The memphis-documents-library plugin before 3.0 for WordPress has Local File Inclusion.
Max CVSS
9.8
EPSS Score
0.21%
Published
2019-08-22
Updated
2019-08-26
The companion-auto-update plugin before 3.2.1 for WordPress has local file inclusion.
Max CVSS
9.8
EPSS Score
0.18%
Published
2019-08-16
Updated
2019-08-21
The wp-payeezy-pay plugin before 2.98 for WordPress has local file inclusion in pay.php, donate.php, donate-rec, and pay-rec.
Max CVSS
9.8
EPSS Score
1.17%
Published
2019-08-22
Updated
2019-08-26
An issue was discovered in BlogEngine.NET through 3.3.6.0. A path traversal and Local File Inclusion vulnerability in PostList.ascx.cs can cause unauthenticated users to load a PostView.ascx component from a potentially untrusted location on the local filesystem. This is especially dangerous if an authenticated user uploads a PostView.ascx file using the file manager utility, which is currently allowed. This results in remote code execution for an authenticated user.
Max CVSS
9.8
EPSS Score
2.99%
Published
2019-03-21
Updated
2019-06-18
An issue was discovered in Thomson Reuters Desktop Extensions 1.9.0.358. An unauthenticated directory traversal and local file inclusion vulnerability in the ThomsonReuters.Desktop.Service.exe and ThomsonReuters.Desktop.exe allows a remote attacker to list or enumerate sensitive contents of files via a \.. to port 6677. Additionally, this could allow for privilege escalation by dumping the affected machine's SAM and SYSTEM database files, as well as remote code execution.
Max CVSS
9.8
EPSS Score
15.64%
Published
2019-06-05
Updated
2019-06-06
The GraceMedia Media Player plugin 1.0 for WordPress allows Local File Inclusion via the "cfg" parameter.
Max CVSS
9.8
EPSS Score
4.91%
Published
2019-05-13
Updated
2020-08-24
Deltek Maconomy 2.2.5 is prone to local file inclusion via absolute path traversal in the WS.macx1.W_MCS/ PATH_INFO, as demonstrated by a cgi-bin/Maconomy/MaconomyWS.macx1.W_MCS/etc/passwd URI.
Max CVSS
9.8
EPSS Score
17.74%
Published
2019-05-24
Updated
2019-11-05
The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5.
Max CVSS
9.8
EPSS Score
1.62%
Published
2019-07-14
Updated
2020-08-24
The shortcode-factory plugin before 2.8 for WordPress has Local File Inclusion.
Max CVSS
9.8
EPSS Score
0.21%
Published
2019-08-22
Updated
2020-08-24
Intesync Solismed 3.3sp1 allows Local File Inclusion (LFI), a different vulnerability than CVE-2019-15931. This leads to unauthenticated code execution.
Max CVSS
9.8
EPSS Score
0.33%
Published
2019-12-12
Updated
2021-07-21
An Unsafe Search Path vulnerability in FortiClient Online Installer (Windows version before 6.0.6) may allow an unauthenticated, remote attacker with control over the directory in which FortiClientOnlineInstaller.exe resides to execute arbitrary code on the system via uploading malicious .dll files in that directory.
Max CVSS
9.3
EPSS Score
0.23%
Published
2019-05-28
Updated
2019-05-29
The Rapid7 InsightAppSec broker suffers from a DLL injection vulnerability in the 'prunsrv.exe' component of the product. If exploited, a local user of the system (who must already be authenticated to the operating system) can elevate their privileges with this vulnerability to the privilege level of InsightAppSec (usually, SYSTEM). This issue affects version 2019.06.24 and prior versions of the product.
Max CVSS
9.3
EPSS Score
0.06%
Published
2019-08-19
Updated
2023-03-29
TeamSpeak 3 Client before 3.2.5 allows remote code execution in the Qt framework.
Max CVSS
9.3
EPSS Score
1.86%
Published
2019-04-19
Updated
2020-08-24
A vulnerability in Viber before 10.7.0 for Desktop (Windows) could allow an attacker to execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user, if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.
Max CVSS
9.3
EPSS Score
14.42%
Published
2019-06-03
Updated
2020-03-18
A vulnerability in the London Trust Media Private Internet Access (PIA) VPN Client v1.0 for Windows could allow an authenticated, local attacker to run arbitrary code with elevated privileges. The PIA client is vulnerable to a DLL injection vulnerability during the software update process. The updater loads several libraries from a folder that authenticated users have write access to. A low privileged user can leverage this vulnerability to execute arbitrary code as SYSTEM.
Max CVSS
9.3
EPSS Score
0.09%
Published
2019-07-11
Updated
2019-07-16
In LogMeIn join.me before 3.16.0.5505, an attacker could execute arbitrary commands on a targeted system. This vulnerability is due to unsafe search paths used by the application URI that is defined in Windows. An attacker could exploit this vulnerability by convincing a targeted user to follow a malicious link. Successful exploitation could cause the application to load libraries from the directory targeted by the URI link. The attacker could use this behavior to execute arbitrary commands on the system with the privileges of the targeted user if the attacker can place a crafted library in a directory that is accessible to the vulnerable system.
Max CVSS
9.3
EPSS Score
0.86%
Published
2019-07-17
Updated
2020-08-24
An Untrusted Search Path vulnerability in the ServiceInstance.dll library versions 1.0.15.119 and lower, as used in Bitdefender Antivirus Free 2020 versions prior to 1.0.15.138, allows an attacker to load an arbitrary DLL file from the search path.
Max CVSS
9.3
EPSS Score
0.07%
Published
2019-08-21
Updated
2019-08-28
An exploitable SQL injection vulnerability exist in YouPHPTube 7.7. When the "VideoTags" plugin is enabled, a specially crafted unauthenticated HTTP request can cause a SQL injection, possibly leading to denial of service, exfiltration of the database and local file inclusion, which could potentially further lead to code execution. An attacker can send an HTTP request to trigger this vulnerability.
Max CVSS
8.9
EPSS Score
0.15%
Published
2019-10-31
Updated
2022-06-27
Simple Machines Forum (SMF) 2.0.4 allows local file inclusion, with resultant remote code execution, in install.php via ../ directory traversal in the db_type parameter if install.php remains present after installation.
Max CVSS
8.8
EPSS Score
0.29%
Published
2019-03-07
Updated
2019-03-12
A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP file inclusion through a crafted XML file that specifies product design update.
Max CVSS
8.8
EPSS Score
0.25%
Published
2019-11-06
Updated
2020-08-24
Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on a cache file, which bypasses the prohibition of .php files as templates.
Max CVSS
8.8
EPSS Score
0.69%
Published
2019-03-15
Updated
2021-07-21
127 vulnerabilities found
1 2 3 4 5 6
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!