Page 397 of 8781 results (0.092 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

An attacker authenticated as a user with a non-administrative role and a common remote execution authorization in SAP Solution Manager and ABAP managed systems (ST-PI) - versions 2088_1_700, 2008_1_710, 740, can use a vulnerable interface to execute an application function to perform actions which they would not normally be permitted to perform.  Depending on the function executed, the attack can read or modify any user or application data and can make the application unavailable. • https://launchpad.support.sap.com/#/notes/3296476 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

In some scenario, SAP Business Objects Business Intelligence Platform (CMC) - versions 420, 430, Program Object execution can lead to code injection vulnerability which could allow an attacker to gain access to resources that are allowed by extra privileges. • https://launchpad.support.sap.com/#/notes/3245526 https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

github-slug-action is a GitHub Action to expose slug value of GitHub environment variables inside of one's GitHub workflow. Starting in version 4.0.0` and prior to version 4.4.1, this action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. This can be used to execute code on the GitHub runners and to exfiltrate any secrets one uses in the CI pipeline. • https://github.com/rlespinasse/github-slug-action/commit/102b1a064a9b145e56556e22b18b19c624538d94 https://github.com/rlespinasse/github-slug-action/releases/tag/v4.4.1 https://github.com/rlespinasse/github-slug-action/security/advisories/GHSA-6q4m-7476-932w https://securitylab.github.com/research/github-actions-untrusted-input • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •

CVSS: 7.2EPSS: 0%CPEs: 3EXPL: 0

An improper neutralization of directives in dynamically evaluated code vulnerability in the WiFi Battery embedded web server in versions L90/U70 and L92/U92 can be used to gain administrative access to the WiFi communication module. An authenticated user, having access to both the medical device WiFi network (such as a biomedical engineering staff member) and the specific B.Braun Battery Pack SP with WiFi web server credentials, could get administrative (root) access on the infusion pump communication module. This could be used as a vector to start further attacks • https://www.bbraun.com/productsecurity https://www.bbraunusa.com/productsecurity • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •

CVSS: 6.0EPSS: 0%CPEs: 1EXPL: 1

Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. • https://github.com/alextselegidis/easyappointments/commit/453c6e130229718680c91bef450db643a0f263e4 https://huntr.dev/bounties/16bc74e2-1825-451f-bff7-bfdc1ea75cc2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •