CVSS: 7.8EPSS: 0%CPEs: 31EXPL: 0CVE-2024-10462 – firefox: thunderbird: Origin of permission prompt could be spoofed by long URL
https://notcve.org/view.php?id=CVE-2024-10462
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1920423 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-290: Authentication Bypass by Spoofing •
CVSS: 6.4EPSS: 0%CPEs: 31EXPL: 0CVE-2024-10461 – firefox: thunderbird: XSS due to Content-Disposition being ignored in multipart/x-mixed-replace response
https://notcve.org/view.php?id=CVE-2024-10461
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1914521 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10460 – firefox: thunderbird: Confusing display of origin for external protocol handler prompt
https://notcve.org/view.php?id=CVE-2024-10460
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1912537 • CWE-346: Origin Validation Error CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10459 – firefox: thunderbird: Use-after-free in layout with accessibility
https://notcve.org/view.php?id=CVE-2024-10459
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1919087 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10458 – firefox: thunderbird: Permission leak via embed or object elements
https://notcve.org/view.php?id=CVE-2024-10458
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1921733 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7985 – FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7985
29 Oct 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/main/ajax.php#L13 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 23%CPEs: 1EXPL: 3CVE-2024-51378 – CyberPanel Incorrect Default Permissions Vulnerability
https://notcve.org/view.php?id=CVE-2024-51378
29 Oct 2024 — getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. ... CyberPanel contains an incorrect default permissions vulnerability that allows for authentication bypass an... • https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 42%CPEs: 1EXPL: 4CVE-2024-51567 – CyberPanel Incorrect Default Permissions Vulnerability
https://notcve.org/view.php?id=CVE-2024-51567
29 Oct 2024 — upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. ... CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to exe... • https://github.com/thehash007/CVE-2024-51567-RCE-EXPLOIT • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-51568 – CyberPanel 2.3.x Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-51568
29 Oct 2024 — There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters. ... This Metasploit module exploits three separate unauthenticated remote code execution vulnerabilities in CyberPanel. • https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48138
https://notcve.org/view.php?id=CVE-2024-48138
29 Oct 2024 — A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. Una vulnerabilidad de ejecución remota de código (RCE) en el componente /PluXml/core/admin/parametres_edittpl.php de PluXml v5.8.16 y anteriores permite a los atacantes ejecutar código arbitrario mediante ... • https://github.com/pluxml/PluXml/issues/829 • CWE-94: Improper Control of Generation of Code ('Code Injection') •