CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10460 – firefox: thunderbird: Confusing display of origin for external protocol handler prompt
https://notcve.org/view.php?id=CVE-2024-10460
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1912537 • CWE-346: Origin Validation Error CWE-940: Improper Verification of Source of a Communication Channel •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10459 – firefox: thunderbird: Use-after-free in layout with accessibility
https://notcve.org/view.php?id=CVE-2024-10459
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1919087 • CWE-416: Use After Free •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10458 – firefox: thunderbird: Permission leak via embed or object elements
https://notcve.org/view.php?id=CVE-2024-10458
29 Oct 2024 — Multiple vulnerabilities have been discovered in Mozilla Thunderbird, the worst of which could lead to remote code execution. • https://bugzilla.mozilla.org/show_bug.cgi?id=1921733 • CWE-280: Improper Handling of Insufficient Permissions or Privileges CWE-281: Improper Preservation of Permissions •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7985 – FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7985
29 Oct 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/main/ajax.php#L13 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 23%CPEs: 1EXPL: 3CVE-2024-51378 – CyberPanel Incorrect Default Permissions Vulnerability
https://notcve.org/view.php?id=CVE-2024-51378
29 Oct 2024 — getresetstatus in dns/views.py and ftp/views.py in CyberPanel (aka Cyber Panel) before 1c0c6cb allows remote attackers to bypass authentication and execute arbitrary commands via /dns/getresetstatus or /ftp/getresetstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. • https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 42%CPEs: 1EXPL: 4CVE-2024-51567 – CyberPanel Incorrect Default Permissions Vulnerability
https://notcve.org/view.php?id=CVE-2024-51567
29 Oct 2024 — upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. ... CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker... • https://github.com/thehash007/CVE-2024-51567-RCE-EXPLOIT • CWE-276: Incorrect Default Permissions •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-51568 – CyberPanel 2.3.x Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-51568
29 Oct 2024 — There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters. ... This Metasploit module exploits three separate unauthenticated remote code execution vulnerabilities in CyberPanel. • https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48138
https://notcve.org/view.php?id=CVE-2024-48138
29 Oct 2024 — A remote code execution (RCE) vulnerability in the component /PluXml/core/admin/parametres_edittpl.php of PluXml v5.8.16 and lower allows attackers to execute arbitrary code via injecting a crafted payload into a template. Una vulnerabilidad de ejecución remota de código (RCE) en el componente /PluXml/core/admin/parametres_edittpl.php de PluXml v5.8.16 y anteriores permite a los atacantes ejecutar código arbitrario mediante ... • https://github.com/pluxml/PluXml/issues/829 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48461
https://notcve.org/view.php?id=CVE-2024-48461
29 Oct 2024 — Cross Site Scripting vulnerability in TeslaLogger Admin Panel before v.1.59.6 allows a remote attacker to execute arbitrary code via the New Journey field. • https://github.com/bassmaster187/TeslaLogger/blob/65f5ff43c7cacf0391ddc21b90f77a2e8c8d860e/TeslaLogger/bin/changelog.md?plain=1#L4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51075
https://notcve.org/view.php?id=CVE-2024-51075
29 Oct 2024 — A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/user-search.php in PHPGurukul Online DJ Booking Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Online%20DJ%20Booking/DJ%20online%20Cross%20Site%20Scripting%20%20u.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •