CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6715 – Ditty 3.1.39-3.1.45 - Author+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-6715
02 Aug 2024 — The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Content Title' field in versions 3.1.39 to 3.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject ... • https://wpscan.com/vulnerability/19406acc-3441-4d4a-9163-ace8f1dceb78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2024-33896 – Ewon Cosy+ Command Injection
https://notcve.org/view.php?id=CVE-2024-33896
02 Aug 2024 — Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. • https://packetstorm.news/files/id/180232 •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41956 – Soft Serve allows arbitrary code execution by crafting git-lfs requests
https://notcve.org/view.php?id=CVE-2024-41956
01 Aug 2024 — Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5. • https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7093 – Server-Side Template Injection in Dispatch Message Templates
https://notcve.org/view.php?id=CVE-2024-7093
01 Aug 2024 — Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41961 – Elektra vulnerable to remote code execution in universal search
https://notcve.org/view.php?id=CVE-2024-41961
01 Aug 2024 — A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. • https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-6923 – Email header injection due to unquoted newlines
https://notcve.org/view.php?id=CVE-2024-6923
01 Aug 2024 — There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the ema... • https://github.com/python/cpython/issues/121650 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6988 – Debian Security Advisory 5735-1
https://notcve.org/view.php?id=CVE-2024-6988
01 Aug 2024 — (Chromium security severity: High) Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to arbitrary code execution. • https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6989 – Debian Security Advisory 5735-1
https://notcve.org/view.php?id=CVE-2024-6989
01 Aug 2024 — (Chromium security severity: High) Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to arbitrary code execution. • https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6991 – Debian Security Advisory 5735-1
https://notcve.org/view.php?id=CVE-2024-6991
01 Aug 2024 — (Chromium security severity: High) Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to arbitrary code execution. • https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6994 – Debian Security Advisory 5735-1
https://notcve.org/view.php?id=CVE-2024-6994
01 Aug 2024 — (Chromium security severity: Medium) Multiple vulnerabilities have been discovered in QtWebEngine, the worst of which could lead to arbitrary code execution. • https://chromereleases.googleblog.com/2024/07/stable-channel-update-for-desktop_23.html • CWE-122: Heap-based Buffer Overflow •