CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33644 – WordPress Customify Site Library plugin <= 0.0.9 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-33644
Improper Control of Generation of Code ('Code Injection') vulnerability in WPCustomify Customify Site Library allows Code Injection.This issue affects Customify Site Library: from n/a through 0.0.9. • https://patchstack.com/database/vulnerability/customify-sites/wordpress-customify-site-library-plugin-0-0-9-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 2.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4214 – WordPress cardealer plugin <= 4.15 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-4214
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Bill Minozzi Car Dealer allows Code Injection.This issue affects Car Dealer: from n/a through 4.15. Neutralización incorrecta de etiquetas HTML relacionadas con scripts en una página web (la vulnerabilidad XSS básica en Bill Minozzi Car Dealer permite la inyección de código. Este problema afecta a Car Dealer: desde n/a hasta 4.15. The Car Dealer (Dealership) and Vehicle sales plugin for WordPress is vulnerable to unauthorized content injection due to insufficient input validation in all versions up to, and including, 4.15. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary content. • https://patchstack.com/database/vulnerability/cardealer/wordpress-cardealer-plugin-4-15-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32876 – NewPipe has potential security vulnerability when importing settings
https://notcve.org/view.php?id=CVE-2024-32876
However, in versions 0.13.4 through 0.26.1, importing a backup file from an untrusted source could have resulted in Arbitrary Code Execution. ... NewPipe version 0.27.0 fixes the issue by doing the following: Restrict the classes that can be deserialized when calling Java's Object Serialization Stream Protocol, by adding a whitelist with only innocuous data-only classes that can't lead to Arbitrary Code Execution; deprecate backups serialized with Java's Object Serialization Stream Protocol; use JSON serialization for all newly created backups (but still include an alternative file serialized with Java's Object Serialization Stream Protocol in the backup zip for backwards compatibility); show a warning to the user when attempting to import a backup where the only available serialization mode is Java's Object Serialization Stream Protocol (note that in the future this serialization mode will be removed completely). • https://docs.oracle.com/javase/6/docs/platform/serialization/spec/protocol.html https://github.com/TeamNewPipe/NewPipe/commit/a69bbab73220f36e53c801cf7e9ea3627bb017eb https://github.com/TeamNewPipe/NewPipe/releases/tag/v0.27.0 https://github.com/TeamNewPipe/NewPipe/security/advisories/GHSA-wxrm-jhpf-vp6v • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.0EPSS: 0%CPEs: 267EXPL: 0CVE-2024-20359 – Cisco ASA and FTD Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-20359
A vulnerability in a legacy capability that allowed for the preloading of VPN clients and plug-ins and that has been available in Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an authenticated, local attacker to execute arbitrary code with root-level privileges. Administrator-level privileges are required to exploit this vulnerability. This vulnerability is due to improper validation of a file when it is read from system flash memory. An attacker could exploit this vulnerability by copying a crafted file to the disk0: file system of an affected device. A successful exploit could allow the attacker to execute arbitrary code on the affected device after the next reload of the device, which could alter system behavior. Because the injected code could persist across device reboots, Cisco has raised the Security Impact Rating (SIR) of this advisory from Medium to High. • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-persist-rce-FLsNXF4h • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3734 – FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-3734
The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide. El complemento FOX – Currency Switcher Professional para WooCommerce es vulnerable a la ejecución de códigos cortos arbitrarios no autenticados en versiones hasta la 1.4.1.8 incluida. Esto permite a atacantes no autenticados ejecutar códigos cortos arbitrarios. • https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L4154 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072307%40woocommerce-currency-switcher%2Ftrunk&old=3049249%40woocommerce-currency-switcher%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1d49d0-c9aa-401c-80b9-d4df7fe97691?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •