CVSS: 4.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-41597
https://notcve.org/view.php?id=CVE-2024-41597
Cross Site Request Forgery vulnerability in ProcessWire v.3.0.229 allows a remote attacker to execute arbitrary code via a crafted HTML file to the comments functionality. • https://gist.github.com/DefensiumDevelopers/608be4d10b016dce0566925368a8b08c#file-cve-2024-41597-md • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-39963
https://notcve.org/view.php?id=CVE-2024-39963
AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX9 V22.03.01.46 and AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX12 V1.0 V22.03.01.46 were discovered to contain an authenticated remote command execution (RCE) vulnerability via the macFilterType parameter at /goform/setMacFilterCfg. Se descubrió que el enrutador AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX9 V22.03.01.46 y AX3000 Dual-Band Gigabit Wi-Fi 6 Router AX12 V1.0 V22.03.01.46 contenían una vulnerabilidad de ejecución remota de comandos (RCE) autenticada a través de el parámetro macFilterType en /goform/setMacFilterCfg. • https://gist.github.com/Swind1er/c8e4369c7fdfd750c8ad01a276105c57 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41111 – BishopFox Sliver Authenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-41111
Sliver version 1.6.0 (prerelease) is vulnerable to RCE on the teamserver by a low-privileged "operator" user. The RCE is as the system root user. ... La versión 1.6.0 (prelanzamiento) de Sliver es vulnerable a RCE en el servidor de equipos por parte de un usuario "operador" con pocos privilegios. El RCE actúa como usuario raíz del sistema. • https://github.com/BishopFox/sliver/commit/5016fb8d7cdff38c79e22e8293e58300f8d3bd57 https://github.com/BishopFox/sliver/issues/65 https://github.com/BishopFox/sliver/pull/1281 https://github.com/BishopFox/sliver/security/advisories/GHSA-hc5w-gxxr-w8x8 https://sliver.sh/docs?name=Multi-player+Mode • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40629 – Arbitrary File Write in Ansible Playbooks leads to RCE in Jumpserver
https://notcve.org/view.php?id=CVE-2024-40629
An attacker can exploit the Ansible playbook to write arbitrary files, leading to remote code execution (RCE) in the Celery container. ... Un atacante puede aprovechar el manual de Ansible para escribir archivos arbitrarios, lo que lleva a la ejecución remota de código (RCE) en el contenedor Celery. • https://github.com/jumpserver/jumpserver/security/advisories/GHSA-3wgp-q8m7-v33v • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39907 – a sqlinjection in 1Panel
https://notcve.org/view.php?id=CVE-2024-39907
Hay muchas inyecciones de SQL en el proyecto y algunas de ellas no están bien filtradas, lo que provoca escrituras de archivos arbitrarias y, en última instancia, conduce a RCE. • https://github.com/1Panel-dev/1Panel/security/advisories/GHSA-5grx-v727-qmq6 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •