CVE-2024-36120 – javascript-deobfuscator crafted payload can lead to code execution
https://notcve.org/view.php?id=CVE-2024-36120
javascript-deobfuscator removes common JavaScript obfuscation techniques. In affected versions crafted payloads targeting expression simplification can lead to code execution. This issue has been patched in version 1.1.0. Users are advised to update. Users unable to upgrade should disable the expression simplification feature. javascript-deobfuscator elimina técnicas comunes de ofuscación de JavaScript. • https://github.com/ben-sb/javascript-deobfuscator/commit/630d3caec83d5f31c5f7a07e6fadf613d06699d6 https://github.com/ben-sb/javascript-deobfuscator/security/advisories/GHSA-9p6p-8v9r-8c9m • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-5565 – Prompt Injection in "ask" API with visualization leads to RCE
https://notcve.org/view.php?id=CVE-2024-5565
The Vanna library uses a prompt function to present the user with visualized results, it is possible to alter the prompt using prompt injection and run arbitrary Python code instead of the intended visualization code. Specifically - allowing external input to the library’s “ask” method with "visualize" set to True (default behavior) leads to remote code execution. La librería Vanna utiliza una función de solicitud para presentar al usuario resultados visualizados; es posible modificar la solicitud mediante inyección de solicitud y ejecutar código Python arbitrario en lugar del código de visualización deseado. Específicamente, permitir la entrada externa al método "preguntar" de la librería con "visualizar" configurado en Verdadero (comportamiento predeterminado) conduce a la ejecución remota de código. • https://research.jfrog.com/vulnerabilities/vanna-prompt-injection-rce-jfsa-2024-001034449 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-23692 – Rejetto HTTP File Server Improper Neutralization of Special Elements Used in a Template Engine Vulnerability
https://notcve.org/view.php?id=CVE-2024-23692
Rejetto HTTP File Server, up to and including version 2.3m, is vulnerable to a template injection vulnerability. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary commands on the affected system by sending a specially crafted HTTP request. As of the CVE assignment date, Rejetto HFS 2.3m is no longer supported. Rejetto HTTP File Server, hasta la versión 2.3m incluida, es vulnerable a una vulnerabilidad de inyección de plantilla. Esta vulnerabilidad permite que un atacante remoto no autenticado ejecute comandos arbitrarios en el sistema afectado enviando una solicitud HTTP especialmente manipulada. • https://github.com/verylazytech/CVE-2024-23692 https://github.com/0x20c/CVE-2024-23692-EXP https://github.com/pradeepboo/Rejetto-HFS-2.x-RCE-CVE-2024-23692 https://github.com/jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS https://github.com/vanboomqi/CVE-2024-23692 https://github.com/BBD-YZZ/CVE-2024-23692 https://github.com/k3lpi3b4nsh33/CVE-2024-23692 https://github.com/Tupler/CVE-2024-23692-exp https://github.com/Mr-r00t11/CVE-2024-23692 https://github.com/WanL • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-5436 – Type Confusion in Snapchat Lenscore
https://notcve.org/view.php?id=CVE-2024-5436
Type confusion in Snapchat LensCore could lead to denial of service or arbitrary code execution prior to version 12.88. • https://hackerone.com/snapchat • CWE-704: Incorrect Type Conversion or Cast •
CVE-2024-5271 – Fuji Electric Monitouch V-SFT Out-of-Bounds Write
https://notcve.org/view.php?id=CVE-2024-5271
Fuji Electric Monitouch V-SFT is vulnerable to an out-of-bounds write because of a type confusion, which could result in arbitrary code execution. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-151-02 • CWE-787: Out-of-bounds Write •