CVSS: 6.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
31 Jul 2024 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user ... • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37129
https://notcve.org/view.php?id=CVE-2024-37129
31 Jul 2024 — A local authenticated malicious user could potentially exploit this vulnerability, leading to arbitrary code execution on the system. • https://www.dell.com/support/kbdoc/en-us/000225779/dsa-2024-263 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32857
https://notcve.org/view.php?id=CVE-2024-32857
31 Jul 2024 — An attacker could potentially exploit this vulnerability through preloading malicious DLL or symbolic link exploitation, leading to arbitrary code execution and escalation of privilege • https://www.dell.com/support/kbdoc/en-us/000225474/dsa-2024-242 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37127
https://notcve.org/view.php?id=CVE-2024-37127
31 Jul 2024 — An attacker could potentially exploit this vulnerability through preloading malicious DLL or symbolic link exploitation, leading to arbitrary code execution and escalation of privilege • https://www.dell.com/support/kbdoc/en-us/000225474/dsa-2024-242 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37142
https://notcve.org/view.php?id=CVE-2024-37142
31 Jul 2024 — An attacker could potentially exploit this vulnerability through preloading malicious DLL or symbolic link exploitation, leading to arbitrary code execution and escalation of privilege • https://www.dell.com/support/kbdoc/en-us/000225474/dsa-2024-242 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41304
https://notcve.org/view.php?id=CVE-2024-41304
30 Jul 2024 — An arbitrary file upload vulnerability in the uploadFileAction() function of WonderCMS v3.4.3 allows attackers to execute arbitrary code via a crafted SVG file. • https://github.com/patrickdeanramos/WonderCMS-version-3.4.3-SVG-Stored-Cross-Site-Scripting • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6726 – Remote Code Execution (RCE) in Delphix
https://notcve.org/view.php?id=CVE-2024-6726
29 Jul 2024 — Versions of Delphix Engine prior to Release 25.0.0.0 contain a flaw which results in Remote Code Execution (RCE). • https://portal.perforce.com/s/detail/a91PA000001SUDtYAO • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.7EPSS: 0%CPEs: 8EXPL: 0CVE-2024-42084 – ftruncate: pass a signed offset
https://notcve.org/view.php?id=CVE-2024-42084
29 Jul 2024 — In the Linux kernel, the following vulnerability has been resolved: ftruncate: pass a signed offset The old ftruncate() syscall, using the 32-bit off_t misses a sign extension when called in compat mode on 64-bit architectures. As a result, passing a negative length accidentally succeeds in truncating to file size between 2GiB and 4GiB. Changing the type of the compat syscall to the signed compat_off_t changes the behavior so it instead returns -EINVAL. The native entry point, the truncate() syscall and the... • https://git.kernel.org/stable/c/3f6d078d4accfff8b114f968259a060bfdc7c682 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41817 – Arbitrary Code Execution in `AppImage` version `ImageMagick`
https://notcve.org/view.php?id=CVE-2024-41817
29 Jul 2024 — The `AppImage` version `ImageMagick` might use an empty path when setting `MAGICK_CONFIGURE_PATH` and `LD_LIBRARY_PATH` environment variables while executing, which might lead to arbitrary code execution by loading malicious configuration files or shared libraries in the current working directory while executing `ImageMagick`. • https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-8rxc-922v-phg8 • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-6330 – GEO my WordPress < 4.4.0.2 - Unauthenticated RCE via LFI
https://notcve.org/view.php?id=CVE-2024-6330
29 Jul 2024 — The GEO my WP WordPress plugin before 4.5.0.2 does not prevent unauthenticated attackers from including arbitrary files in PHP's execution context, which leads to Remote Code Execution. The GEO my WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.5.0.1 via the 'form[info_window_template][content_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code... • https://github.com/RandomRobbieBF/CVE-2024-6330 • CWE-94: Improper Control of Generation of Code ('Code Injection') •