CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48579
https://notcve.org/view.php?id=CVE-2024-48579
25 Oct 2024 — SQL Injection vulnerability in Best House rental management system project in php v.1.0 allows a remote attacker to execute arbitrary code via the username parameter of the login request. • https://github.com/baineoli/CVE/blob/main/2024/house%20rental%20management%20system%20-%20SQL%20Injection%20%28Admin%20Login%29.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48580
https://notcve.org/view.php?id=CVE-2024-48580
25 Oct 2024 — SQL Injection vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the email parameter of the login request. • https://github.com/baineoli/CVE/blob/main/2024/courier%20management%20system%20-%20SQL%20Injection%20%28Admin%20Login%29.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48581
https://notcve.org/view.php?id=CVE-2024-48581
25 Oct 2024 — File Upload vulnerability in Best courier management system in php v.1.0 allows a remote attacker to execute arbitrary code via the admin_class.php component. • https://github.com/baineoli/CVE/blob/main/2024/courier%20management%20system%20-%20Unrestricted%20File%20Upload%20to%20RCE%20%28Sign%20Up%29.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50492 – WordPress ScottCart plugin <= 1.1 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-50492
25 Oct 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Scott Paterson ScottCart allows Code Injection.This issue affects ScottCart: from n/a through 1.1. The WordPress eCommerce – ScottCart plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to execute code on the server. • https://patchstack.com/database/vulnerability/scottcart/wordpress-scottcart-plugin-1-1-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50497 – WordPress Advanced Online Ordering and Delivery Platform plugin <= 2.0.0 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-50497
25 Oct 2024 — Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in BuyNowDepot Advanced Online Ordering and Delivery Platform allows PHP Local File Inclusion.This issue affects Advanced Online Ordering and Delivery Platform: from n/a through 2.0.0. ... This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be use... • https://patchstack.com/database/vulnerability/advanced-online-ordering-and-delivery-platform/wordpress-advanced-online-ordering-and-delivery-platform-plugin-2-0-0-local-file-inclusion-vulnerability?_s_id=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8392 – WordPress Post Grid Layouts with Pagination – Sogrid <= 1.5.2 - Authenticated (Admin+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-8392
25 Oct 2024 — This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This makes it possible for authenticated attackers, with Administrator-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achiev... • https://plugins.trac.wordpress.org/browser/sogrid/trunk/src/admin-panel/views/panel.php • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-9932 – Wux Blog Editor <= 3.0.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9932
25 Oct 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/RandomRobbieBF/CVE-2024-9932 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-37845
https://notcve.org/view.php?id=CVE-2024-37845
25 Oct 2024 — MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature. • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37845%20RCE.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47883 – Butterfly has path/URL confusion in resource handling leading to multiple weaknesses
https://notcve.org/view.php?id=CVE-2024-47883
24 Oct 2024 — However, prior to version 1.2.6, if a `file:/` URL is directly given where a relative path (resource name) is expected, this is also accepted in some code paths; the app then fetches the file, from a remote machine if indicated, and uses it as if it was a trusted part of the app's codebase. ... If an app is written in such a way that an attacker can influence the resource name used for a template, that attacker could cause the app to fetch and execute an attacker-controlled template (remote... • https://github.com/OpenRefine/simile-butterfly/commit/537f64bfa72746f8b21d4bda461fad843435319c • CWE-36: Absolute Path Traversal CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47881 – OpenRefine's SQLite integration allows filesystem access, remote code execution (RCE)
https://notcve.org/view.php?id=CVE-2024-47881
24 Oct 2024 — Starting in version 3.4-beta and prior to version 3.8.3, in the `database` extension, the "enable_load_extension" property can be set for the SQLite integration, enabling an attacker to load (local or remote) extension DLLs and so run arbitrary code on the server. • https://github.com/OpenRefine/OpenRefine/commit/853a1d91662e7dc278a9a94a38be58de04494056 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •