CVE-2024-36954 – tipc: fix a possible memleak in tipc_buf_append
https://notcve.org/view.php?id=CVE-2024-36954
In the Linux kernel, the following vulnerability has been resolved: tipc: fix a possible memleak in tipc_buf_append __skb_linearize() doesn't free the skb when it fails, so move '*buf = NULL' after __skb_linearize(), so that the skb can be freed on the err path. En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tipc: soluciona un posible memleak en tipc_buf_append __skb_linearize() no libera el skb cuando falla, así que mueve '*buf = NULL' después de __skb_linearize(), para que el skb se puede liberar en la ruta de error. • https://git.kernel.org/stable/c/4b1761898861117c97066aea6c58f68a7787f0bf https://git.kernel.org/stable/c/64d17ec9f1ded042c4b188d15734f33486ed9966 https://git.kernel.org/stable/c/6da24cfc83ba4f97ea44fc7ae9999a006101755c https://git.kernel.org/stable/c/b7df21cf1b79ab7026f545e7bf837bd5750ac026 https://git.kernel.org/stable/c/b2c8d28c34b3070407cb1741f9ba3f15d0284b8b https://git.kernel.org/stable/c/5489f30bb78ff0dafb4229a69632afc2ba20765c https://git.kernel.org/stable/c/436d650d374329a591c30339a91fa5078052ed1e https://git.kernel.org/stable/c/ace300eecbccaa698e2b472843c74a • CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak') •
CVE-2024-3924 – Code Injection in huggingface/text-generation-inference
https://notcve.org/view.php?id=CVE-2024-3924
A code injection vulnerability exists in the huggingface/text-generation-inference repository, specifically within the `autodocs.yml` workflow file. ... Successful exploitation could lead to arbitrary code execution within the context of the GitHub Actions runner. • https://github.com/zunak/CVE-2024-39249 https://github.com/jasonthename/CVE-2024-39248 https://github.com/huggingface/text-generation-inference/commit/88702d876383f7200eccf67e28ba00500dc804bb https://huntr.com/bounties/8af92fc2-0103-4d29-bb28-c3893154c422 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-35333
https://notcve.org/view.php?id=CVE-2024-35333
An attacker can exploit this vulnerability by providing a specially crafted input to the vulnerable function, causing a buffer overflow and potentially leading to arbitrary code execution, denial of service, or data corruption. • https://github.com/momo1239/CVE-2024-35333 • CWE-121: Stack-based Buffer Overflow •
CVE-2024-35226 – PHP Code Injection by malicious attribute in extends-tag in Smarty
https://notcve.org/view.php?id=CVE-2024-35226
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. In affected versions template authors could inject php code by choosing a malicious file name for an extends-tag. Sites that cannot fully trust template authors should update asap. All users are advised to update. There is no patch for users on the v3 branch. • https://github.com/smarty-php/smarty/commit/0be92bc8a6fb83e6e0d883946f7e7c09ba4e857a https://github.com/smarty-php/smarty/security/advisories/GHSA-4rmg-292m-wg3w • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-35581
https://notcve.org/view.php?id=CVE-2024-35581
A cross-site scripting (XSS) vulnerability in Sourcecodester Laboratory Management System v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Borrower Name input field. Una vulnerabilidad de Cross-site scripting (XSS) en Sourcecodester Laboratory Management System v1.0 permite a los atacantes ejecutar scripts web o HTML arbitrario a través de un payload manipulado inyectado en el campo de entrada Nombre del prestatario. • https://github.com/r04i7/CVE/blob/main/CVE-2024-35581.md https://owasp.org/www-community/attacks/xss https://portswigger.net/web-security/cross-site-scripting/stored • CWE-94: Improper Control of Generation of Code ('Code Injection') •