CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45116 – Adobe Commerce | Cross-site Scripting (XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-45116
Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by a Cross-Site Scripting (XSS) vulnerability that could be exploited to execute arbitrary code. • https://helpx.adobe.com/security/products/magento/apsb24-73.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9707 – Hunk Companion <= 1.8.4 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-9707
This makes it possible for unauthenticated attackers to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://github.com/RandomRobbieBF/CVE-2024-9707 https://www.wordfence.com/threat-intel/vulnerabilities/id/9c101fca-037c-4bed-9dc7-baa021a8b59c?source=cve https://github.com/WordPressBugBounty/plugins-hunk-companion/blob/5a3cedc7b3d35d407b210e691c53c6cb400e4051/hunk-companion/import/app/app.php#L46 https://wordpress.org/plugins/hunk-companion https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3166501%40hunk-companion&new=3166501%40hunk-companion&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-7037 – Arbitrary File Write/Delete Leading to RCE in open-webui/open-webui
https://notcve.org/view.php?id=CVE-2024-7037
In version v0.3.8 of open-webui/open-webui, the endpoint /api/pipelines/upload is vulnerable to arbitrary file write and delete due to unsanitized file.filename concatenation with CACHE_DIR. This vulnerability allows attackers to overwrite and delete system files, potentially leading to remote code execution. • https://huntr.com/bounties/8508db68-9c99-4b1c-828c-e1bfcacfb847 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8015 – Telerik Report Server Insecure Type Resolution
https://notcve.org/view.php?id=CVE-2024-8015
In Progress Telerik Report Server versions prior to 2024 Q3 (10.2.24.924), a remote code execution attack is possible through object injection via an insecure type resolution vulnerability. • https://docs.telerik.com/report-server/knowledge-base/insecure-type-resolution-cve-2024-8015 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47422 – Adobe Framemaker | Untrusted Search Path (CWE-426)
https://notcve.org/view.php?id=CVE-2024-47422
Adobe Framemaker versions 2020.6, 2022.4 and earlier are affected by an Untrusted Search Path vulnerability that could lead to arbitrary code execution. An attacker could exploit this vulnerability by inserting a malicious path into the search directories, which the application could unknowingly execute. This could allow the attacker to execute arbitrary code in the context of the current user. • https://helpx.adobe.com/security/products/framemaker/apsb24-82.html • CWE-426: Untrusted Search Path •