CWE-94

Grouptime Teamwire Desktop Client 1.5.1 prior to 1.9.0 on Windows allows code injection via a template, leading to remote code execution. All backend versions prior to prod-2018-11-13-15-00-42 are affected.

LG SuperSign CMS allows remote attackers to execute arbitrary code via the sourceUri parameter to qsr_server/device/getThumbnail.

CScms 4.1 allows remote code execution, as demonstrated by 1′);eval($_POST[cmd]);# in Web Name to uploadpluginssysInstall.php.

admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the varvalue field.

admin/goods_update.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the attrvalue[] array parameter.

admin/web_config.php in PHPMyWind 5.5 allows Admin users to execute arbitrary code via the rewrite url setting.