CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12641 – Chunghwa Telecom TenderDocTransfer - Reflected Cross-site Scripting to RCE
https://notcve.org/view.php?id=CVE-2024-12641
16 Dec 2024 — Due to the lack of CSRF protection for the APIs, unauthenticated remote attackers could use specific APIs through phishing to execute arbitrary JavaScript code in the user’s browser. • https://www.twcert.org.tw/en/cp-139-8299-42168-2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-29671
https://notcve.org/view.php?id=CVE-2024-29671
16 Dec 2024 — Buffer Overflow vulnerability in NEXTU FLATA AX1500 Router v.1.0.2 allows a remote attacker to execute arbitrary code via the POST request handler component. • https://github.com/laskdjlaskdj12/CVE-2024-29671-POC • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-55085
https://notcve.org/view.php?id=CVE-2024-55085
16 Dec 2024 — GetSimple CMS CE 3.3.19 suffers from arbitrary code execution in the template editing function in the background management system, which can be used by an attacker to implement RCE. • https://getsimple-ce.ovh • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-56084
https://notcve.org/view.php?id=CVE-2024-56084
16 Dec 2024 — These are executed, leading to Remote Code Execution. • https://servicedesk.logpoint.com/hc/en-us/articles/22137632418845-Remote-Code-Execution-while-creating-Universal-Normalizer • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-56086
https://notcve.org/view.php?id=CVE-2024-56086
16 Dec 2024 — These are executed when the backup process is initiated, leading to Remote Code Execution. • https://servicedesk.logpoint.com/hc/en-us/articles/22136886421277-Remote-Code-Execution-while-creating-Report-Templates • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55890 – D-Tale allows Remote Code Execution through the Custom Filter Input
https://notcve.org/view.php?id=CVE-2024-55890
13 Dec 2024 — Prior to version 3.16.1, users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. • https://github.com/man-group/dtale#custom-filter • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55661 – Laravel Pulse Allows Remote Code Execution via Unprotected Query Method
https://notcve.org/view.php?id=CVE-2024-55661
13 Dec 2024 — A vulnerability has been discovered in Laravel Pulse prior to version 1.3.1 that could allow remote code execution through the public `remember()` method in the `Laravel\Pulse\Livewire\Concerns\RemembersQueries` trait. ... An authenticated user with access to Laravel Pulse dashboard can execute arbitrary code by calling any function or static method in which the callable is a function or static method and the callable has no parameters or no strict parameter types. • https://github.com/laravel/pulse/commit/d1a5bf2eca36c6e3bedb4ceecd45df7d002a1ebc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9698 – Crafthemes Demo Import <= 3.3 - Authenticated (Admin+) Arbitrary File Upload in process_uploaded_files
https://notcve.org/view.php?id=CVE-2024-9698
13 Dec 2024 — This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/crafthemes-demo-import/trunk/inc/Helpers.php#L421 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9508 – Horner Automation Cscape Out-of-bounds Read
https://notcve.org/view.php?id=CVE-2024-9508
13 Dec 2024 — Horner Automation Cscape contains a memory corruption vulnerability, which could allow an attacker to disclose information and execute arbitrary code. • https://hornerautomation.com/cscape-software-free/cscape-software • CWE-125: Out-of-bounds Read •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-55879 – XWiki allows RCE from script right in configurable sections
https://notcve.org/view.php?id=CVE-2024-55879
12 Dec 2024 — Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. • https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d • CWE-862: Missing Authorization •