CVE-2024-36531
https://notcve.org/view.php?id=CVE-2024-36531
nukeviet v.4.5 and before and nukeviet-egov v.1.2.02 and before are vulnerable to arbitrary code execution via the /admin/extensions/upload.php component. • https://mat4mee.notion.site/Module-upload-in-nukeViet-leads-to-RCE-01ff3ff4c80d402d8c7c8a2b15a24c33 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-4577 – PHP-CGI OS Command Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-4577
PHP, specifically Windows-based PHP used in CGI mode, contains an OS command injection vulnerability that allows for arbitrary code execution. • https://github.com/BTtea/CVE-2024-4577-RCE-PoC https://github.com/K3ysTr0K3R/CVE-2024-4577-EXPLOIT https://github.com/manuelinfosec/CVE-2024-4577 https://github.com/zomasec/CVE-2024-4577 https://github.com/cybersagor/CVE-2024-4577 https://github.com/l0n3m4n/CVE-2024-4577-RCE https://github.com/bughuntar/CVE-2024-4577 https://github.com/watchtowrlabs/CVE-2024-4577 https://github.com/xcanwin/CVE-2024-4577-PHP-RCE https://github.com/TAM-K592/CVE-2024-4577 https:/ • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-1880 – OS Command Injection in MacOS Text-To-Speech Class in significant-gravitas/autogpt
https://notcve.org/view.php?id=CVE-2024-1880
Specifically, the use of `os.system` to execute the `say` command with user-supplied text allows for arbitrary code execution if an attacker can inject shell commands. • https://github.com/significant-gravitas/autogpt/commit/26324f29849967fa72c207da929af612f1740669 https://huntr.com/bounties/4e742624-8771-4f3c-9634-3eaf33d6d58e • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-3095 – SSRF in Langchain Web Research Retriever in langchain-ai/langchain
https://notcve.org/view.php?id=CVE-2024-3095
This could potentially lead to arbitrary code execution, depending on the nature of the local services. • https://github.com/leoCottret/CVE-2024-30956 https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-4320 – Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-4320
The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. • https://github.com/bolkv/CVE-2024-4320 https://huntr.com/bounties/d6564f04-0f59-4686-beb2-11659342279b • CWE-29: Path Traversal: '\..\filename' •