CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48594
https://notcve.org/view.php?id=CVE-2024-48594
28 Oct 2024 — File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component. • https://github.com/Aa1b/mycve/blob/main/Readme.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-50509 – WordPress Woocommerce Product Design plugin <= 1.0.0 - Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-50509
28 Oct 2024 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://github.com/RandomRobbieBF/CVE-2024-50509 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-48825
https://notcve.org/view.php?id=CVE-2024-48825
28 Oct 2024 — Tenda AC7 v.15.03.06.44 ate_ifconfig_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. • https://github.com/ixout/iotVuls/blob/main/Tenda/ac7_005/report.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-48826
https://notcve.org/view.php?id=CVE-2024-48826
28 Oct 2024 — Tenda AC7 v.15.03.06.44 ate_iwpriv_set has pre-authentication command injection allowing remote attackers to execute arbitrary code. • https://github.com/ixout/iotVuls/blob/main/Tenda/ac7_006/report.md • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 96%CPEs: 4EXPL: 3CVE-2024-50623 – Cleo Multiple Products Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2024-50623
27 Oct 2024 — In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges. • https://github.com/watchtowrlabs/CVE-2024-50623 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9162 – All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
https://notcve.org/view.php?id=CVE-2024-9162
27 Oct 2024 — The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. • https://github.com/d0n601/CVE-2024-9162 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47821 – pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
https://notcve.org/view.php?id=CVE-2024-47821
25 Oct 2024 — By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions on the 0.5 branch prior to 0.5.0b3.dev87. ... This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary<... • https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49380 – Plenti arbitrary file write vulnerability
https://notcve.org/view.php?id=CVE-2024-49380
25 Oct 2024 — This issue may lead to Remote Code Execution. • https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49378 – smartUp Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-49378
25 Oct 2024 — The vulnerability allows another extension to execute arbitrary code in the context of the user’s tab. • https://github.com/zimocode/smartup/blob/2144ec161697751b1a6702f1af866726ea689e4e/js/background.js#L3800 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47023
https://notcve.org/view.php?id=CVE-2024-47023
25 Oct 2024 — there is a possible man-in-the-middle attack due to a logic error in the code. This could lead to remote escalation of privilege with no additional execution privileges needed. • https://source.android.com/security/bulletin/pixel/2024-10-01 •