CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38319 – IBM Security SOAR code execution
https://notcve.org/view.php?id=CVE-2024-38319
IBM Security SOAR 51.0.2.0 could allow an authenticated user to execute malicious code loaded from a specially crafted script. IBM X-Force ID: 294830. IBM Security SOAR 51.0.2.0 podría permitir que un usuario autenticado ejecute código malicioso cargado desde un script especialmente manipulado. ID de IBM X-Force: 294830. • https://exchange.xforce.ibmcloud.com/vulnerabilities/294830 https://www.ibm.com/support/pages/node/7158261 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45673 – Arbitrary code execution on click of PDF links in Joplin
https://notcve.org/view.php?id=CVE-2023-45673
Clicking links in PDFs allows for arbitrary code execution because Joplin desktop: 1. has not disabled top redirection for note viewer iframes, and 2. and has node integration enabled. • https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#sandbox https://github.com/laurent22/joplin/security/advisories/GHSA-g8qx-5vcm-3x59 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37228 – WordPress InstaWP Connect plugin <= 0.1.0.38 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-37228
Improper Control of Generation of Code ('Code Injection') vulnerability in InstaWP Team InstaWP Connect allows Code Injection.This issue affects InstaWP Connect: from n/a through 0.1.0.38. • https://patchstack.com/database/vulnerability/instawp-connect/wordpress-instawp-connect-plugin-0-1-0-38-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-37899 – Disabling a user account changes its author, allowing RCE from user account in XWiki
https://notcve.org/view.php?id=CVE-2024-37899
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. • https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j584-j2vj-3f93 https://jira.xwiki.org/browse/XWIKI-21611 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-5746
https://notcve.org/view.php?id=CVE-2024-5746
A Server-Side Request Forgery vulnerability was identified in GitHub Enterprise Server that allowed an attacker with the Site Administrator role to gain arbitrary code execution capability on the GitHub Enterprise Server instance. • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.13 https://docs.github.com/en/enterprise-server@3.11/admin/release-notes#3.11.11 https://docs.github.com/en/enterprise-server@3.12/admin/release-notes#3.12.5 https://docs.github.com/en/enterprise-server@3.9/admin/release-notes#3.9.16 • CWE-918: Server-Side Request Forgery (SSRF) •