CWE-95
Medium likelihoodImproper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
138 vulnerabilities with CWE-95
CVE-2022-36099
CRITICAL
XWiki Platform Wiki UI Main Wiki <13.10.6-14.4 - Code Injection
CVSS 9.9
CVE-2022-38193
MEDIUM
Esri Portal for ArcGIS <10.8.1 - Code Injection
CVSS 6.1
CVE-2022-36010
CRITICAL
react-editable-json-tree < 2.2.2 - Remote Code Execution via JsonFunctionValue Eval Injection
CVSS 10.0
CVE-2021-33678
MEDIUM
SAP NetWeaver AS ABAP - Code Injection
CVSS 6.5
CVE-2021-23277
HIGH
Eaton Intelligent Power Manager < 1.69 - Unauthenticated Eval Injection in loadUserFile Function
CVSS 8.3
CVE-2020-37137
MEDIUM
PHP-Fusion 9.03.50 - Remote Code Execution via panels.php Panel Content Parameter
CVSS 6.1
CVE-2020-6650
HIGH
Eaton UPS Companion < 1.05 - Remote Code Execution via Update Manager Eval Injection
CVSS 8.3
CVE-2020-5256
HIGH
BookStack < 0.25.5 - Remote Code Execution via PHP File Upload
CVSS 7.9
CVE-2020-5217
MEDIUM
Secure Headers < 3.8.0, 5.1.0, 6.2.0 - Directive Injection via Semicolon in CSP Directives
CVSS 4.4
CVE-2019-9507
HIGH
Vertiv Avocent UMG-4000 <4.2.1.19 - Command Injection
CVSS 8.3
CVE-2013-10070
CRITICAL
PHP-Charts 1.0 - Unauthenticated Remote Code Execution via GET Parameter Eval Injection
CVE-2013-10051
CRITICAL
InstantCMS < 1.6 - Remote PHP Code Execution via Search View Handler
CVSS 9.8
CVE-2011-10033
CRITICAL
WordPress Plugin <=1.4.2 - Code Injection
Details
Vulnerabilities
138
Exploit Likelihood
Medium