CVE-2024-38944
https://notcve.org/view.php?id=CVE-2024-38944
An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi? • https://gist.github.com/LemonSec/6aaea8320187a38e1a398fa321f12303 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-34329
https://notcve.org/view.php?id=CVE-2024-34329
Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.4 and earlier allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload. • https://github.com/pamoutaf/CVE-2024-34329 https://github.com/pamoutaf/CVE-2024-34329/blob/main/README.md https://www.entrust.com/ja/contact/services/downloads/drivers • CWE-378: Creation of Temporary File With Insecure Permissions •
CVE-2024-28698
https://notcve.org/view.php?id=CVE-2024-28698
Directory Traversal vulnerability in Marimer LLC CSLA .Net before 8.0 allows a remote attacker to execute arbitrary code via a crafted script to the MobileFormatter component. • https://github.com/MarimerLLC/csla/pull/3552 https://www.intruder.io/research/path-traversal-and-code-execution-in-csla-net-cve-2024-28698 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-6960 – H2O deserializes ML models without filtering, potentially allowing execution of malicious code
https://notcve.org/view.php?id=CVE-2024-6960
The H2O machine learning platform uses "Iced" classes as the primary means of moving Java Objects around the cluster. The Iced format supports inclusion of serialized Java objects. When a model is deserialized, any class is allowed to be deserialized (no class whitelist). An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. La plataforma de aprendizaje automático H2O utiliza clases "Iced" como medio principal para mover objetos Java por el clúster. • https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518 • CWE-502: Deserialization of Untrusted Data •
CVE-2024-40347
https://notcve.org/view.php?id=CVE-2024-40347
A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid. • https://github.com/4rdr/proofs/blob/main/info/Alfresco_Reflected_XSS_via_htmlid_parameter.md •