CWE-94

getStats.php in Centreon Web before 2.8.28 allows authenticated attackers to execute arbitrary code via the ns_id parameter.

The wpgform plugin before 0.94 for WordPress has eval injection in the CAPTCHA calculation.

cPanel before 70.0.23 allows demo accounts to execute code via the Landing Page (SEC-405).

cPanel before 71.9980.37 allows code injection in the WHM cPAddons interface (SEC-394).

An issue was discovered on Xerox WorkCentre 3655, 3655i, 58XX, 58XXi, 59XX, 59XXi, 6655, 6655i, 72XX, 72XXi, 78XX, 78XXi, 7970, 7970i, EC7836, and EC7856 devices before R18-05 073.xxx.0487.15000. An attacker can execute PHP code by leveraging a writable file.

Frog CMS 0.9.5 allows PHP code execution via <?php to the admin/?/layout/edit/1 URI.