CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38002
https://notcve.org/view.php?id=CVE-2024-38002
22 Oct 2024 — The workflow component in Liferay Portal 7.3.2 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92 and 7.3 GA through update 36 does not properly check user permissions before updating a workflow definition, which allows remote authenticated users to modify workflow definitions and execute arbitrary code (RCE) via the headless API. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-38002 • CWE-863: Incorrect Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26273
https://notcve.org/view.php?id=CVE-2024-26273
22 Oct 2024 — Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.4.0 through 7.4.3.103, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 update 29 through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_commerce_catalog_web_internal_po... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26273 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26272
https://notcve.org/view.php?id=CVE-2024-26272
22 Oct 2024 — Cross-site request forgery (CSRF) vulnerability in the content page editor in Liferay Portal 7.3.2 through 7.4.3.107, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 GA through update 92 and 7.3 GA through update 35 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the p_l_back_url parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26272 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26271
https://notcve.org/view.php?id=CVE-2024-26271
22 Oct 2024 — Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_M... • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2023-52918 – media: pci: cx23885: check cx23885_vdev_init() return
https://notcve.org/view.php?id=CVE-2023-52918
22 Oct 2024 — An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/8e31b096e2e1949bc8f0be019c9ae70d414404c6 •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40493
https://notcve.org/view.php?id=CVE-2024-40493
22 Oct 2024 — Null Pointer Dereference in `coap_client_exchange_blockwise2` function in Keith Cullen FreeCoAP 1.0 allows remote attackers to cause a denial of service and potentially execute arbitrary code via a specially crafted CoAP packet that causes `coap_msg_get_payload(resp)` to return a null pointer, which is then dereferenced in a call to `memcpy`. • https://gist.github.com/dqp10515/fe80005e2fb58ed8ada178ac017e4ad4 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45518
https://notcve.org/view.php?id=CVE-2024-45518
22 Oct 2024 — This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE). • https://wiki.zimbra.com/wiki/Security_Center • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46482
https://notcve.org/view.php?id=CVE-2024-46482
22 Oct 2024 — An arbitrary file upload vulnerability in the Ticket Generation function of Ladybird Web Solution Faveo-Helpdesk v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .html or .svg file. • https://github.com/Asadiqbal2/Vulnerabilities-Research/tree/main/CVE-2024-46482 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 1CVE-2022-23862
https://notcve.org/view.php?id=CVE-2022-23862
22 Oct 2024 — Because the service did not enforce authentication and was running under the "NT Authority\System" user, an attacker is able to use the vulnerability to execute arbitrary code and elevate to the system user. • https://github.com/mbadanoiu/CVE-2022-23862 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-48605 – Helakuru 1.1 DLL Hijacking
https://notcve.org/view.php?id=CVE-2024-48605
22 Oct 2024 — An issue in Helakuru Desktop Application v1.1 allows a local attacker to execute arbitrary code via the lack of proper validation of the wow64log.dll file. Helakuru version 1.1 suffers from a dll hijacking vulnerability. • https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection • CWE-427: Uncontrolled Search Path Element •