CWE-95

Medium likelihood

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Parent: CWE-94 - Improper Control of Generation of Code ('Code Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

138 vulnerabilities with CWE-95
CVE-2023-7101 HIGH KEV
Spreadsheet::ParseExcel < 0.65 - Remote Code Execution via Number Format String Eval
CVSS 7.8
CVE-2023-50723 CRITICAL
XWiki Platform 2.3-14.10.5 - Authenticated Remote Code Execution via Administration Interface
CVSS 9.9
CVE-2023-50721 CRITICAL
XWiki Platform 4.5-14.10.5 - Remote Code Execution via Search UI Extension Injection
CVSS 9.9
CVE-2023-48699 HIGH
fastbots < 0.1.5 - Remote Code Execution via Locators.ini File Injection
CVSS 8.4
CVE-2023-46731 CRITICAL
XWiki Platform < 14.10.14 - Unauthenticated Remote Code Execution via Section URL Parameter
CVSS 10.0
CVE-2023-37909 CRITICAL
XWiki 5.1-14.10.7 - Authenticated Remote Code Execution via User Profile Script Macro Injection
CVSS 9.9
CVE-2023-40177 CRITICAL
XWiki 4.3.1-14.10.4 - Authenticated Eval Injection via User Profile Content Field
CVSS 9.9
CVE-2023-37462 CRITICAL
XWiki 7.0-14.4.8 - Remote Code Execution via SkinsCode.XWikiSkinsSheet Injection
CVSS 9.9
CVE-2023-35152 CRITICAL
XWiki Platform 12.9-14.4.8 - Authenticated Eval Injection via First Name Field
CVSS 9.9
CVE-2023-35150 CRITICAL
XWiki Platform 2.40m-2-14.4.8, 14.10.4, 15.0 - Remote Code Execution via Crafted URL Payload
CVSS 9.9
CVE-2023-30537 CRITICAL
XWiki 12.6.6-13.10.10 - Authenticated Remote Code Execution via FlamingoThemesCode.WebHome Style Property
CVSS 9.9
CVE-2023-29511 CRITICAL
XWiki 1.7-13.10.10 - Authenticated Remote Code Execution via Section ID Injection in AdminFieldsDisplaySheet
CVSS 9.9
CVE-2023-29509 CRITICAL
XWiki < 13.10.11 - Authenticated Remote Code Execution via DocumentTree Macro Parameter Injection
CVSS 9.9
CVE-2023-29214 CRITICAL
XWiki < 13.10.11 - Authenticated Remote Code Execution via IncludedDocuments Panel
CVSS 9.9
CVE-2023-29212 CRITICAL
XWiki 14.0-14.4.7 - Authenticated Remote Code Execution via Insufficient Escaping in Included Documents Edit Panel
CVSS 9.9
CVE-2023-29211 CRITICAL
XWiki < 13.10.11 - Authenticated Remote Code Execution via Improper WikiId Parameter Escaping
CVSS 9.9
CVE-2023-29210 CRITICAL
XWiki < 13.10.11 - Authenticated Remote Code Execution via Notification Preferences Macro
CVSS 9.9
CVE-2023-29209 CRITICAL
XWiki <13.10.11 - Code Execution via Legacy Notification Activity Macro
CVSS 9.9
CVE-2023-0888 MEDIUM
B.Braun Battery Pack SP with WiFi Firmware L90/U70 and L92/U92 - Authenticated Eval Injection in Embedded Web Server
CVSS 4.9
CVE-2023-0090 CRITICAL
Proofpoint Enterprise Protection <8.20.0 - RCE
CVSS 9.8
CVE-2023-0089 HIGH
Proofpoint Enterprise Protection <8.20.0 - Authenticated RCE
CVSS 8.8
CVE-2023-26477 CRITICAL
XWiki Platform <13.10.10, <14.9-rc-1, <14.4.6 - Code Injection
CVSS 10.0
CVE-2022-41931 CRITICAL
xwiki-platform-icon-ui - Eval Injection
CVSS 9.9
CVE-2022-41928 CRITICAL
XWiki 5.0-13.10.6 - Eval Injection in AttachmentSelector.xml
CVSS 9.9
CVE-2022-36100 CRITICAL
XWiki Platform <14.4 - Code Injection
CVSS 9.9
Details
Vulnerabilities 138
Exploit Likelihood Medium
Links
MITRE CWE Entry Search this CWE With Exploits