CVE-2024-38651
https://notcve.org/view.php?id=CVE-2024-38651
A code injection vulnerability can allow a low-privileged user to overwrite files on that VSPC server, which can lead to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-39714
https://notcve.org/view.php?id=CVE-2024-39714
A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-40710
https://notcve.org/view.php?id=CVE-2024-40710
A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). • https://www.veeam.com/kb4649 • CWE-522: Insufficiently Protected Credentials •
CVE-2024-8517 – SPIP Bigup Multipart File Upload OS Command Injection
https://notcve.org/view.php?id=CVE-2024-8517
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request. • https://github.com/Chocapikk/CVE-2024-8517 https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html https://vulncheck.com/advisories/spip-upload-rce https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload • CWE-646: Reliance on File Name or Extension of Externally-Supplied File •
CVE-2024-45758
https://notcve.org/view.php?id=CVE-2024-45758
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. • https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068 https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb • CWE-502: Deserialization of Untrusted Data •