CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37109 – WordPress WishList Member X plugin < 3.26.7 - Authenticated Arbitrary PHP Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-37109
20 Jun 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Membership Software WishList Member X allows Code Injection.This issue affects WishList Member X: from n/a before 3.26.7. • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-arbitrary-php-code-execution-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 3CVE-2024-28397 – Pyload Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-28397
20 Jun 2024 — An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call. Un problema en el componente js2py.disable_pyimport() de js2py hasta v0.74 permite a atacantes ejecutar código arbitrario a través de una llamada API manipulada. CVE-2024-28397 is a sandbox escape in js2py versions 0.74 and below. js2py is a popular python package that can evaluate javascript code inside a python interpreter. The vulnerability allows for an attacker to o... • https://packetstorm.news/files/id/182692 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-32030 – Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI
https://notcve.org/view.php?id=CVE-2024-32030
19 Jun 2024 — Kafka UI is an Open-Source Web UI for Apache Kafka Management. Kafka UI API allows users to connect to different Kafka brokers by specifying their network address and port. As a separate feature, it also provides the ability to monitor the performance of Kafka brokers by connecting to their JMX ports. JMX is based on the RMI protocol, so it is inherently susceptible to deserialization attacks. A potential attacker can exploit this feature by connecting Kafka UI backend to its own malicious broker. • https://github.com/huseyinstif/CVE-2024-32030-Nuclei-Template • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3562 – Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field
https://notcve.org/view.php?id=CVE-2024-3562
19 Jun 2024 — The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. • https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L192 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37124
https://notcve.org/view.php?id=CVE-2024-37124
19 Jun 2024 — Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed. Existe un problema de uso de funciones potencialmente peligrosas en Ricoh Streamline NX PC Client. Si se aprovecha esta vulnerabilidad, un atacante puede crear un archivo arbitrario en la PC donde está instalado el producto. • https://jvn.jp/en/jp/JVN00442488 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36679
https://notcve.org/view.php?id=CVE-2024-36679
19 Jun 2024 — In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. • https://security.friendsofpresta.org/modules/2024/06/18/livechatpro.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37821
https://notcve.org/view.php?id=CVE-2024-37821
18 Jun 2024 — An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file. Una vulnerabilidad de carga de archivos arbitrarios en la función Cargar plantilla de Dolibarr ERP CRM hasta v19.0.1 permite a los atacantes ejecutar código arbitrario cargando un archivo .SQL manipulado. • http://dolibarr.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-35767 – WordPress Squeeze plugin <= 1.4 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-35767
18 Jun 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4. La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Bogdan Bendziukov Squeeze permite la inyección de código. Este problema afecta a Squeeze: desde n/a hasta 1.4. The Squeeze plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.4. This ma... • https://patchstack.com/database/vulnerability/squeeze/wordpress-squeeze-plugin-1-4-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36573
https://notcve.org/view.php?id=CVE-2024-36573
17 Jun 2024 — almela obx before v.0.0.4 has a Prototype Pollution issue which allows arbitrary code execution via the obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) component. almela obx anterior a v.0.0.4 tiene un problema de contaminación de prototipos que permite la ejecución de código arbitrario a través de obx/build/index.js:656), reduce (@almela/obx/build/index.js:470), Object.set (obx/build/index.js:269) componente. • https://gist.github.com/mestrtee/fd8181bbc180d775f8367a2b9e0ffcd1 • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36575
https://notcve.org/view.php?id=CVE-2024-36575
17 Jun 2024 — A Prototype Pollution issue in getsetprop 1.1.0 allows an attacker to execute arbitrary code via global.accessor. Un problema de contaminación de prototipos en getsetprop 1.1.0 permite a un atacante ejecutar código arbitrario a través de global.accessor. • https://gist.github.com/mestrtee/0d830798f20839d634278d7af0155f9e • CWE-94: Improper Control of Generation of Code ('Code Injection') •