CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39165
https://notcve.org/view.php?id=CVE-2024-39165
04 Jul 2024 — QR/demoapp/qr_image.php in Asial JpGraph Professional through 4.2.6-pro allows remote attackers to execute arbitrary code via a PHP payload in the data parameter in conjunction with a .php file name in the filename parameter. This occurs because an unnecessary QR/demoapp folder.is shipped with the product. • https://www.synacktiv.com/advisories/jpgraph-professional-version-pre-authenticated-remote-code-execution • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2009-4422
https://notcve.org/view.php?id=CVE-2009-4422
24 Dec 2009 — Multiple cross-site scripting (XSS) vulnerabilities in the GetURLArguments function in jpgraph.php in Aditus Consulting JpGraph 3.0.6 allow remote attackers to inject arbitrary web script or HTML via a key to csim_in_html_ex1.php, and other unspecified vectors. Múltiples vulnerabilidades de secuencias de comandos en sitios cruzados (XSS) en la función GetURLArguments en jpgraph.php en Aditus Consulting JpGraph v3.0.6 permite a atacantes remotos inyectar código web y HTML de su elección a través de una llave... • http://osvdb.org/61268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •