CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11391 – Advanced File Manager <= 5.2.10 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11391
02 Dec 2024 — The Advanced File Manager plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation via the 'class_fma_connector.php' file in all versions up to, and including, 5.2.10. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3199242 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-54214 – WordPress Revy plugin <= 1.18 - Unauthenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-54214
02 Dec 2024 — The Revy plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.18. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/wordpress/plugin/revy/vulnerability/wordpress-revy-plugin-1-18-unauthenticated-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-12001 – code-projects Wazifa System Setting updatesettings.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-12001
30 Nov 2024 — A vulnerability classified as problematic has been found in code-projects Wazifa System 1.0. ... Es wurde eine problematische Schwachstelle in code-projects Wazifa System 1.0 entdeckt. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-12000 – code-projects Blood Bank System Setting updatesettings.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-12000
30 Nov 2024 — A vulnerability was found in code-projects Blood Bank System 1.0. ... Eine Schwachstelle wurde in code-projects Blood Bank System 1.0 ausgemacht. ... Davon betroffen ist unbekannter Code der Datei /controllers/updatesettings.php der Komponente Setting Handler. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11997 – code-projects Farmacia vendas.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11997
30 Nov 2024 — A vulnerability was found in code-projects Farmacia 1.0. ... Es wurde eine Schwachstelle in code-projects Farmacia 1.0 ausgemacht. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11996 – code-projects Farmacia editar-fornecedor.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11996
30 Nov 2024 — A vulnerability was found in code-projects Farmacia 1.0 and classified as problematic. ... Eine Schwachstelle wurde in code-projects Farmacia 1.0 gefunden. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11995 – code-projects Farmacia pagamento.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11995
29 Nov 2024 — A vulnerability has been found in code-projects Farmacia 1.0 and classified as problematic. ... In code-projects Farmacia 1.0 wurde eine Schwachstelle gefunden. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-52800 – Potential XXE (XML External Entity Injection) vulnerability in veraPDF CLI
https://notcve.org/view.php?id=CVE-2024-52800
29 Nov 2024 — Executing policy checks using custom schematron files via the CLI invokes an XSL transformation that may theoretically lead to a remote code execution (RCE) vulnerability. This doesn't affect the standard validation and policy checks functionality, veraPDF's common use cases. Most veraPDF users don't insert any custom XSLT code into policy profiles, which are based on Schematron syntax rather than direct XSL transforms. ... Users are advised to be cautious of... • https://github.com/JAckLosingHeart/GHSA-4cx5-89vm-833x-POC • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11482
https://notcve.org/view.php?id=CVE-2024-11482
29 Nov 2024 — A vulnerability in ESM 11.6.10 allows unauthenticated access to the internal Snowservice API and enables remote code execution through command injection, executed as the root user. • https://thrive.trellix.com/s/article/000014058#h2_0 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11979 – Interinfo DreamMaker - Unrestricted File Upload through Path Traversal
https://notcve.org/view.php?id=CVE-2024-11979
29 Nov 2024 — This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. • https://www.twcert.org.tw/en/cp-139-8272-13a13-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •