CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26148 – Querybook's Stored Cross-Site Scripting vulnerability allows Privilege Elevation
https://notcve.org/view.php?id=CVE-2024-26148
Querybook is a user interface for querying big data. Prior to version 3.31.1, there is a vulnerability in Querybook's rich text editor that enables users to input arbitrary URLs without undergoing necessary validation. This particular security flaw allows the use of `javascript:` protocol which can potentially trigger arbitrary client-side execution. The most extreme exploit of this flaw could occur when an admin user unknowingly clicks on a cross-site scripting URL, thereby unintentionally compromising admin role access to the attacker. A patch to rectify this issue has been introduced in Querybook version `3.31.1`. • https://github.com/pinterest/querybook/commit/bc620dabaaf13ff1dcb30af0b46a490403fb9908 https://github.com/pinterest/querybook/pull/1412 https://github.com/pinterest/querybook/security/advisories/GHSA-fh6g-gvvp-587f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-22235
https://notcve.org/view.php?id=CVE-2024-22235
VMware Aria Operations contains a local privilege escalation vulnerability. A malicious actor with administrative access to the local system can escalate privileges to 'root'. • https://www.vmware.com/security/advisories/VMSA-2024-0004.html •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0865 – Schneider Electric EcoStruxure IT Gateway Hard-Coded Credentials Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-0865
This vulnerability allows local attackers to escalate privileges on affected installations of Schneider Electric EcoStruxure IT Gateway. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of NETWORK SERVICE. • https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2024-044-03&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2024-044-03.pdf • CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2023-52439 – uio: Fix use-after-free in uio_open
https://notcve.org/view.php?id=CVE-2023-52439
A use-after-free memory flaw in the uio_open functionality allows a local user to crash or escalate their privileges on the system. • https://git.kernel.org/stable/c/57c5f4df0a5a0ee83df799991251e2ee93a5e4e9 https://git.kernel.org/stable/c/13af019c87f2d90e663742cb1a819834048842ae https://git.kernel.org/stable/c/3174e0f7de1ba392dc191625da83df02d695b60c https://git.kernel.org/stable/c/e93da893d52d82d57fc0db2ca566024e0f26ff50 https://git.kernel.org/stable/c/5e0be1229ae199ebb90b33102f74a0f22d152570 https://git.kernel.org/stable/c/5cf604ee538ed0c467abe3b4cda5308a6398f0f7 https://git.kernel.org/stable/c/17a8519cb359c3b483fb5c7367efa9a8a508bdea https://git.kernel.org/stable/c/35f102607054faafe78d2a6994b18d5d9 • CWE-415: Double Free CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-1156 – NI FlexLogger RabbitMQ Incorrect Permission Assignment Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-1156
Incorrect directory permissions for the shared NI RabbitMQ service may allow a local authenticated user to read RabbitMQ configuration information and potentially enable escalation of privileges. ... This vulnerability allows local attackers to escalate privileges on affected installations of NI FlexLogger. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://www.ni.com/en/support/security/available-critical-and-security-updates-for-ni-software/incorrect-permissions-for-shared-systemlink-elixir-based-service.html • CWE-276: Incorrect Default Permissions •