CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-5211 – Path Traversal to Arbitrary File Read/Delete/Overwrite, DoS Attack, and Admin Account Takeover in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2024-5211
Exploitation of this vulnerability could lead to application compromise, denial of service (DoS) attacks, and unauthorized admin account takeover. The issue stems from improper validation of user-supplied input in the process of setting a custom logo for the app, which can be manipulated to achieve arbitrary file read, deletion, or overwrite, and to execute a DoS attack by deleting critical files required for the application's operation. ... La explotación de esta vulnerabilidad podría comprometer la aplicación, ataques de denegación de servicio (DoS) y apropiación no autorizada de cuentas de administrador. El problema surge de la validación inadecuada de la entrada proporcionada por el usuario en el proceso de configuración de un logotipo personalizado para la aplicación, que puede manipularse para lograr lectura, eliminación o sobrescritura arbitraria de archivos, y para ejecutar un ataque DoS eliminando archivos críticos necesarios para el funcionamiento de la aplicación. • https://github.com/mintplex-labs/anything-llm/commit/e208074ef4c240fe03e4147ab097ec3b52b97619 https://huntr.com/bounties/38f282cb-7226-435e-9832-2d4a102dad4b • CWE-29: Path Traversal: '\..\filename' •
CVSS: 4.7EPSS: 0%CPEs: 6EXPL: 0CVE-2024-28970
https://notcve.org/view.php?id=CVE-2024-28970
A local authenticated malicious user with admin privileges could potentially exploit this vulnerability, leading to platform denial of service. • https://www.dell.com/support/kbdoc/en-us/000225476/dsa-2024-168 • CWE-787: Out-of-bounds Write •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2023-49559
https://notcve.org/view.php?id=CVE-2023-49559
An issue in vektah gqlparser open-source-library v.2.5.10 allows a remote attacker to cause a denial of service via a crafted script to the parserDirectives function. • https://gist.github.com/uvzz/d3ed9d4532be16ec1040a2cf3dfec8d1 •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-36856
https://notcve.org/view.php?id=CVE-2024-36856
RMQTT Broker 0.4.0 allows remote attackers to cause a Denial of Service (daemon crash) via a certain sequence of five TCP packets. • https://gist.github.com/pengwGit/d8410afeb0d5d11ab79f596a32178c2e https://github.com/rmqtt/rmqtt/releases/tag/0.4.0 • CWE-404: Improper Resource Shutdown or Release •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5468 – WordPress Header Builder Plugin – Pearl <= 1.3.7 - Missing Authorization to Unauthenticated Arbitrary Site Options Deletion
https://notcve.org/view.php?id=CVE-2024-5468
This makes it possible for unauthenticated attackers to delete arbitrary options that can be used to perform a denial of service attack on a site. • https://plugins.trac.wordpress.org/browser/pearl-header-builder/tags/1.3.7/includes/helpers.php#L304 https://www.wordfence.com/threat-intel/vulnerabilities/id/c2e770e0-1a39-4946-838b-4fd1f1dea1c8?source=cve • CWE-862: Missing Authorization •