Common Weakness Enumeration

CWE-94

Allowed-with-Review

Improper Control of Generation of Code ('Code Injection')

Abstraction: Base · Status: Draft

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

8301 vulnerabilities reference this CWE, most recent first.

GHSA-MJ8G-44PC-GHJG

Vulnerability from github – Published: 2022-05-17 02:40 – Updated: 2022-05-17 02:40
VLAI
Details

Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to execute arbitrary code with root privileges via a crafted UDS patch with shell scripts.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2015-2252"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-06-08T16:29:00Z",
    "severity": "HIGH"
  },
  "details": "Huawei OceanStor UDS devices with software before V100R002C01SPC102 might allow remote attackers to execute arbitrary code with root privileges via a crafted UDS patch with shell scripts.",
  "id": "GHSA-mj8g-44pc-ghjg",
  "modified": "2022-05-17T02:40:48Z",
  "published": "2022-05-17T02:40:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-2252"
    },
    {
      "type": "WEB",
      "url": "http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-417837.htm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJCQ-9W3F-V5MX

Vulnerability from github – Published: 2026-06-05 00:31 – Updated: 2026-06-05 18:31
VLAI
Details

Script injection in Accessibility in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-11157"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-04T23:17:22Z",
    "severity": "MODERATE"
  },
  "details": "Script injection in Accessibility in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to inject arbitrary scripts or HTML (UXSS) via a crafted Chrome Extension. (Chromium security severity: Medium)",
  "id": "GHSA-mjcq-9w3f-v5mx",
  "modified": "2026-06-05T18:31:36Z",
  "published": "2026-06-05T00:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11157"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/501823385"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-MJF2-HX35-V8CQ

Vulnerability from github – Published: 2022-05-01 07:30 – Updated: 2022-05-01 07:30
VLAI
Details

PHP remote file inclusion vulnerability in aide.php3 (aka aide.php) in GestArt beta 1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the aide parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2006-5612"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2006-10-31T01:07:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in aide.php3 (aka aide.php) in GestArt beta 1, when register_globals is enabled, allows remote attackers to execute arbitrary PHP code via the aide parameter.",
  "id": "GHSA-mjf2-hx35-v8cq",
  "modified": "2022-05-01T07:30:08Z",
  "published": "2022-05-01T07:30:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2006-5612"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/29853"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/3467"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/1795"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/449887/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/20750"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/0943"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJF8-RRMF-Q848

Vulnerability from github – Published: 2022-04-29 02:58 – Updated: 2025-04-03 04:00
VLAI
Details

Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to execute commands with additional privileges via the ctxsys.driload package, which is publicly accessible.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2004-0637"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2004-09-02T04:00:00Z",
    "severity": "MODERATE"
  },
  "details": "Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to execute commands with additional privileges via the ctxsys.driload package, which is publicly accessible.",
  "id": "GHSA-mjf8-rrmf-q848",
  "modified": "2025-04-03T04:00:57Z",
  "published": "2022-04-29T02:58:04Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2004-0637"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/12409"
    },
    {
      "type": "WEB",
      "url": "http://www.idefense.com/application/poi/display?id=136\u0026type=vulnerabilities\u0026flashstatus=true"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/316206"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/11099"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJFQ-3QR2-6G84

Vulnerability from github – Published: 2025-05-14 17:35 – Updated: 2025-05-14 17:35
VLAI
Summary
Cosmos EVM Allows Partial Precompile State Writes
Details

Impact

Setting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state.

If executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user without resetting the claimable rewards to 0. The vulnerability could also be used to cause indeterministic execution by failing at other points in the code, halting validators.

Any evmOS or Cosmos EVM chain using precompiles is affected.

Patches

The vulnerability was patched by wrapping each precompile execution into an atomic function that reverts any partially committed state on error.

  • evmos/os patch file: https://drive.google.com/file/d/1LfC0WSrQOqwTOW3qfaE6t8Jqf1PLVtS_/

For chains using a different file structure, you must manually apply the diff:

In x/evm/statedb.go:

Add the following function:

func (s *StateDB) RevertMultiStore(cms storetypes.CacheMultiStore, events sdk.Events) {
    s.cacheCtx = s.cacheCtx.WithMultiStore(cms)
    s.writeCache = func() {
        // rollback the events to the ones
        // on the snapshot
        s.ctx.EventManager().EmitEvents(events)
        cms.Write()
    }
}

In x/evm/statedb/journal.go:

Replace the Revert function with the following:

func (pc precompileCallChange) Revert(s *StateDB) {
    // rollback multi store from cache ctx to the previous
    // state stored in the snapshot
    s.RevertMultiStore(pc.multiStore, pc.events)
}

In precompiles/common/precompile.go:

Change the function signature in HandleGasError to:

func HandleGasError(ctx sdk.Context, contract *vm.Contract, initialGas storetypes.Gas, err *error, stateDB *statedb.StateDB, snapshot snapshot) func() {
...
}

In the HandleGasError function, add the following line in the switch statement in the case storetypes.ErrorOutOfGas: case:

stateDB.RevertMultiStore(snapshot.MultiStore, snapshot.Events)

Add the following function:

// RunAtomic is used within the Run function of each Precompile implementation.
// It handles rolling back to the provided snapshot if an error is returned from the core precompile logic.
// Note: This is only required for stateful precompiles.
func (p Precompile) RunAtomic(s snapshot, stateDB *statedb.StateDB, fn func() ([]byte, error)) ([]byte, error) {
    bz, err := fn()
    if err != nil {
        // revert to snapshot on error
        stateDB.RevertMultiStore(s.MultiStore, s.Events)
    }
    return bz, err
}

All Precompiles:

Finally, in each precompile, locate the Run function, and wrap each switch statement and return values into p.RunAtomic. For example:

// Run executes the precompiled contract IBC transfer methods defined in the ABI.
func (p Precompile) Run(evm *vm.EVM, contract *vm.Contract, readOnly bool) (bz []byte, err error) {
    ctx, stateDB, snapshot, method, initialGas, args, err := p.RunSetup(evm, contract, readOnly, p.IsTransaction)
    if err != nil {
        return nil, err
    }

    // This handles any out of gas errors that may occur during the execution of a precompile tx or query.
    // It avoids panics and returns the out of gas error so the EVM can continue gracefully.
    defer cmn.HandleGasError(ctx, contract, initialGas, &err, stateDB, snapshot)()

        // === WRAP HERE ===
    return p.RunAtomic(snapshot, stateDB, func() ([]byte, error) {
        switch method.Name {
        // TODO Approval transactions => need cosmos-sdk v0.46 & ibc-go v6.2.0
        // Authorization Methods:
        case exampleCase:
            bz, err = p.example(ctx, evm.Origin, stateDB, method, args)
        default:
            return nil, fmt.Errorf(cmn.ErrUnknownMethod, method.Name)
        }

        if err != nil {
            return nil, err
        }

        cost := ctx.GasMeter().GasConsumed() - initialGas

        if !contract.UseGas(cost) {
            return nil, vm.ErrOutOfGas
        }

        if err := p.AddJournalEntries(stateDB, snapshot); err != nil {
            return nil, err
        }

        return bz, nil
    })
}

Workarounds

There are no workarounds for chains that make use of precompiles. A coordinated upgrade is necessary to patch the issue.

Testing

A test was introduced in the distribution precompile to ensure that partial state writes no longer occur when a lower gas amount is set.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/cosmos/evm"
      },
      "versions": [
        "0.1.0"
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-05-14T17:35:54Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\nSetting lower EVM call gas allows users to partially execute precompiles and error at specific points in the precompile code without reverting the partially written state. \n\nIf executed on the distribution precompile when claiming funds, it could cause funds to be transferred to a user without resetting the claimable rewards to 0. The vulnerability could also be used to cause indeterministic execution by failing at other points in the code, halting validators.\n\nAny evmOS or Cosmos EVM chain using precompiles is affected.\n\n### Patches\nThe vulnerability was patched by wrapping each precompile execution into an atomic function that reverts any partially committed state on error.\n\n- [evmos/os](https://github.com/evmos/os) patch file: https://drive.google.com/file/d/1LfC0WSrQOqwTOW3qfaE6t8Jqf1PLVtS_/\n\nFor chains using a different file structure, you must manually apply the diff:\n\n### **In `x/evm/statedb.go`:**\n\nAdd the following function:\n```go\nfunc (s *StateDB) RevertMultiStore(cms storetypes.CacheMultiStore, events sdk.Events) {\n\ts.cacheCtx = s.cacheCtx.WithMultiStore(cms)\n\ts.writeCache = func() {\n\t\t// rollback the events to the ones\n\t\t// on the snapshot\n\t\ts.ctx.EventManager().EmitEvents(events)\n\t\tcms.Write()\n\t}\n}\n```\n\n### **In `x/evm/statedb/journal.go`:**\n\nReplace the `Revert` function with the following:\n```go\nfunc (pc precompileCallChange) Revert(s *StateDB) {\n\t// rollback multi store from cache ctx to the previous\n\t// state stored in the snapshot\n\ts.RevertMultiStore(pc.multiStore, pc.events)\n}\n```\n\n### **In `precompiles/common/precompile.go`:**\n\nChange the function signature in `HandleGasError` to:\n```go\nfunc HandleGasError(ctx sdk.Context, contract *vm.Contract, initialGas storetypes.Gas, err *error, stateDB *statedb.StateDB, snapshot snapshot) func() {\n...\n}\n```\n\nIn the `HandleGasError` function, add the following line in the switch statement in the `case storetypes.ErrorOutOfGas:` case:\n```go\nstateDB.RevertMultiStore(snapshot.MultiStore, snapshot.Events)\n```\n\nAdd the following function:\n```go\n// RunAtomic is used within the Run function of each Precompile implementation.\n// It handles rolling back to the provided snapshot if an error is returned from the core precompile logic.\n// Note: This is only required for stateful precompiles.\nfunc (p Precompile) RunAtomic(s snapshot, stateDB *statedb.StateDB, fn func() ([]byte, error)) ([]byte, error) {\n\tbz, err := fn()\n\tif err != nil {\n\t\t// revert to snapshot on error\n\t\tstateDB.RevertMultiStore(s.MultiStore, s.Events)\n\t}\n\treturn bz, err\n}\n```\n\n### **All Precompiles:**\nFinally, in each precompile, locate the `Run` function, and wrap each switch statement and return values into `p.RunAtomic`. For example:\n```go\n// Run executes the precompiled contract IBC transfer methods defined in the ABI.\nfunc (p Precompile) Run(evm *vm.EVM, contract *vm.Contract, readOnly bool) (bz []byte, err error) {\n\tctx, stateDB, snapshot, method, initialGas, args, err := p.RunSetup(evm, contract, readOnly, p.IsTransaction)\n\tif err != nil {\n\t\treturn nil, err\n\t}\n\n\t// This handles any out of gas errors that may occur during the execution of a precompile tx or query.\n\t// It avoids panics and returns the out of gas error so the EVM can continue gracefully.\n\tdefer cmn.HandleGasError(ctx, contract, initialGas, \u0026err, stateDB, snapshot)()\n\n        // === WRAP HERE ===\n\treturn p.RunAtomic(snapshot, stateDB, func() ([]byte, error) {\n\t\tswitch method.Name {\n\t\t// TODO Approval transactions =\u003e need cosmos-sdk v0.46 \u0026 ibc-go v6.2.0\n\t\t// Authorization Methods:\n\t\tcase exampleCase:\n\t\t\tbz, err = p.example(ctx, evm.Origin, stateDB, method, args)\n\t\tdefault:\n\t\t\treturn nil, fmt.Errorf(cmn.ErrUnknownMethod, method.Name)\n\t\t}\n\n\t\tif err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\tcost := ctx.GasMeter().GasConsumed() - initialGas\n\n\t\tif !contract.UseGas(cost) {\n\t\t\treturn nil, vm.ErrOutOfGas\n\t\t}\n\n\t\tif err := p.AddJournalEntries(stateDB, snapshot); err != nil {\n\t\t\treturn nil, err\n\t\t}\n\n\t\treturn bz, nil\n\t})\n}\n```\n\n\n### Workarounds\nThere are no workarounds for chains that make use of precompiles. A coordinated upgrade is necessary to patch the issue.\n\n### Testing\nA test was introduced in the distribution precompile to ensure that partial state writes no longer occur when a lower gas amount is set.",
  "id": "GHSA-mjfq-3qr2-6g84",
  "modified": "2025-05-14T17:35:54Z",
  "published": "2025-05-14T17:35:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/evm/security/advisories/GHSA-mjfq-3qr2-6g84"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cosmos/evm/commit/0fff8c144b24effbcb3addd666150ba5989d631c"
    },
    {
      "type": "WEB",
      "url": "https://drive.google.com/file/d/1LfC0WSrQOqwTOW3qfaE6t8Jqf1PLVtS_"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/cosmos/evm"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cosmos EVM Allows Partial Precompile State Writes"
}

GHSA-MJH4-63MF-8XQC

Vulnerability from github – Published: 2022-05-01 23:36 – Updated: 2022-05-01 23:36
VLAI
Details

PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2008-1059"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-02-28T19:44:00Z",
    "severity": "HIGH"
  },
  "details": "PHP remote file inclusion vulnerability in modules/syntax_highlight.php in the Sniplets 1.1.2 and 1.2.2 plugin for WordPress allows remote attackers to execute arbitrary PHP code via a URL in the libpath parameter.",
  "id": "GHSA-mjh4-63mf-8xqc",
  "modified": "2022-05-01T23:36:22Z",
  "published": "2022-05-01T23:36:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-1059"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/40829"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/5194"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29099"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/3706"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/488734/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/27985"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJP9-35C3-RJJH

Vulnerability from github – Published: 2022-05-01 02:03 – Updated: 2022-05-01 02:03
VLAI
Details

Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be injected into referer.php, which can then be accessed by the attacker.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2005-1894"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2005-06-09T04:00:00Z",
    "severity": "HIGH"
  },
  "details": "Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be injected into referer.php, which can then be accessed by the attacker.",
  "id": "GHSA-mjp9-35c3-rjjh",
  "modified": "2022-05-01T02:03:09Z",
  "published": "2022-05-01T02:03:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2005-1894"
    },
    {
      "type": "WEB",
      "url": "http://flatnuke.sourceforge.net/index.php?mod=read\u0026id=1117979256"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/15603"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1014114"
    },
    {
      "type": "WEB",
      "url": "http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2005/0697"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJQ4-J36X-7H6P

Vulnerability from github – Published: 2022-05-17 01:53 – Updated: 2022-05-17 01:53
VLAI
Details

FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2011-3256"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2011-10-14T10:55:00Z",
    "severity": "MODERATE"
  },
  "details": "FreeType 2 before 2.4.7, as used in CoreGraphics in Apple iOS before 5, Mandriva Enterprise Server 5, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted font, a different vulnerability than CVE-2011-0226.",
  "id": "GHSA-mjq4-j36x-7h6p",
  "modified": "2022-05-17T01:53:51Z",
  "published": "2022-05-17T01:53:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3256"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/70552"
    },
    {
      "type": "WEB",
      "url": "https://sourceforge.net/projects/freetype/files/freetype2/2.4.7/README/view"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/Security-announce/2011//Oct/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce/2012/Feb/msg00000.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069100.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2011-12/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00012.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/48951"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT4999"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT5130"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2011/dsa-2328"
    },
    {
      "type": "WEB",
      "url": "http://www.mandriva.com/security/advisories?name=MDVSA-2011:157"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/50155"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJQ5-4H2V-323X

Vulnerability from github – Published: 2022-05-01 18:34 – Updated: 2022-05-01 18:34
VLAI
Details

PHP remote file inclusion vulnerability in djpage.php in PHPDJ 0.5 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5574"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-10-18T21:17:00Z",
    "severity": "MODERATE"
  },
  "details": "PHP remote file inclusion vulnerability in djpage.php in PHPDJ 0.5 allows remote attackers to execute arbitrary PHP code via a URL in the page parameter.",
  "id": "GHSA-mjq5-4h2v-323x",
  "modified": "2022-05-01T18:34:36Z",
  "published": "2022-05-01T18:34:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5574"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/37262"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/4543"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/26112"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-MJWQ-HGMC-4X68

Vulnerability from github – Published: 2022-05-05 00:29 – Updated: 2024-04-03 23:57
VLAI
Details

PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2013-2267"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-01-27T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "PHP Code Injection vulnerability in FUDforum Bulletin Board Software 3.0.4 could allow remote attackers to execute arbitrary code on the system.",
  "id": "GHSA-mjwq-hgmc-4x68",
  "modified": "2024-04-03T23:57:57Z",
  "published": "2022-05-05T00:29:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2267"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/83229"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/58845"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Refactoring

Refactor your program so that you do not have to dynamically generate code.

Mitigation
Architecture and Design
  • Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product.
  • Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection.
  • This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise.
  • Be careful to avoid CWE-243 and other weaknesses related to jails.
Mitigation MIT-5
Implementation

Strategy: Input Validation

  • Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
  • When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
  • Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
  • To reduce the likelihood of code injection, use stringent allowlists that limit which constructs are allowed. If you are dynamically constructing code that invokes a function, then verifying that the input is alphanumeric might be insufficient. An attacker might still be able to reference a dangerous function that you did not intend to allow, such as system(), exec(), or exit().
Mitigation
Testing

Use dynamic tools and techniques that interact with the product using large test suites with many diverse inputs, such as fuzz testing (fuzzing), robustness testing, and fault injection. The product's operation may slow down, but it should not become unstable, crash, or generate incorrect results.

Mitigation MIT-32
Operation

Strategy: Compilation or Build Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation MIT-32
Operation

Strategy: Environment Hardening

Run the code in an environment that performs automatic taint propagation and prevents any command execution that uses tainted variables, such as Perl's "-T" switch. This will force the program to perform validation steps that remove the taint, although you must be careful to correctly validate your inputs so that you do not accidentally mark dangerous inputs as untainted (see CWE-183 and CWE-184).

Mitigation
Implementation

For Python programs, it is frequently encouraged to use the ast.literal_eval() function instead of eval, since it is intentionally designed to avoid executing code. However, an adversary could still cause excessive memory or stack consumption via deeply nested structures [REF-1372], so the python documentation discourages use of ast.literal_eval() on untrusted data [REF-1373].

CAPEC-242: Code Injection

An adversary exploits a weakness in input validation on the target to inject new code into that which is currently executing. This differs from code inclusion in that code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.

CAPEC-35: Leverage Executable Code in Non-Executable Files

An attack of this type exploits a system's trust in configuration and resource files. When the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high.

CAPEC-77: Manipulating User-Controlled Variables

This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An adversary can override variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the adversary can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.