CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23646 – Pimcore Admin Classic Bundle SQL Injection in Admin download files as zip
https://notcve.org/view.php?id=CVE-2024-23646
Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. • https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2006 https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/Asset/AssetController.php#L2087 https://github.com/pimcore/admin-ui-classic-bundle/commit/363afef29496cc40a8b863c2ca2338979fcf50a8 https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.3.2 https://github.com/pimcore/admin-ui-classic-bundle/security/advisories/GHSA-cwx6-4wmf-c6xv • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43317
https://notcve.org/view.php?id=CVE-2023-43317
An issue in Coign CRM Portal v.06.06 allows a remote attacker to escalate privileges via the userPermissionsList parameter in Session Storage component. • https://github.com/amjadali-110/CVE-2023-43317 •
CVSS: 8.4EPSS: 0%CPEs: 2EXPL: 0CVE-2023-6926 – Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in Crestron AM-300
https://notcve.org/view.php?id=CVE-2023-6926
There is an OS command injection vulnerability in Crestron AM-300 firmware version 1.4499.00018 which may enable a user of a limited-access SSH session to escalate their privileges to root-level access. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-02 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 1%CPEs: 1EXPL: 0CVE-2023-50274 – Hewlett Packard Enterprise OneView startUpgradeCommon Command Injection Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2023-50274
HPE OneView may allow command injection with local privilege escalation. ... This vulnerability allows local attackers to escalate privileges code on affected installations of Hewlett Packard Enterprise OneView. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04586en_us • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-0751 – Mozilla: Privilege escalation through devtools
https://notcve.org/view.php?id=CVE-2024-0751
A malicious devtools extension could have been used to escalate privileges. ... The Mozilla Foundation Security Advisory describes this flaw as: A malicious devtools extension could have been used to escalate privileges. • https://bugzilla.mozilla.org/show_bug.cgi?id=1865689 https://lists.debian.org/debian-lts-announce/2024/01/msg00015.html https://lists.debian.org/debian-lts-announce/2024/01/msg00022.html https://www.mozilla.org/security/advisories/mfsa2024-01 https://www.mozilla.org/security/advisories/mfsa2024-02 https://www.mozilla.org/security/advisories/mfsa2024-04 https://access.redhat.com/security/cve/CVE-2024-0751 https://bugzilla.redhat.com/show_bug.cgi?id=2259932 • CWE-20: Improper Input Validation CWE-269: Improper Privilege Management •