CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-52781
https://notcve.org/view.php?id=CVE-2024-52781
29 Nov 2024 — DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/tool/traceroute.php. • https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-52780
https://notcve.org/view.php?id=CVE-2024-52780
29 Nov 2024 — DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/mgmt_edit.php. • https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-36622
https://notcve.org/view.php?id=CVE-2024-36622
29 Nov 2024 — In RaspAP raspap-webgui 3.0.9 and earlier, a command injection vulnerability exists in the clearlog.php script. The vulnerability is due to improper sanitization of user input passed via the logfile parameter. • https://gist.github.com/1047524396/ab997b902ec892e592a0df93f38e6941 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-52777
https://notcve.org/view.php?id=CVE-2024-52777
29 Nov 2024 — DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L, <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/system/basic/license_update.php. • https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-35451
https://notcve.org/view.php?id=CVE-2024-35451
29 Nov 2024 — LinkStack 2.7.9 through 4.7.7 allows resources\views\components\favicon.blade.php link SSRF. • https://datafarm.co.th/blog/CVE-2024-35451:-From-%28Authenticated%29-SSRF-to-Remote-Code-Execution • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-52779
https://notcve.org/view.php?id=CVE-2024-52779
29 Nov 2024 — DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_top10.php. • https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-52782
https://notcve.org/view.php?id=CVE-2024-52782
29 Nov 2024 — DCME-320 <=7.4.12.90, DCME-520 <=9.25.5.11, DCME-320-L <=9.3.5.26, and DCME-720 <=9.1.5.11 are vulnerable to Remote Code Execution via /function/audit/newstatistics/mon_stat_hist_new.php. • https://ba1100n.tech/%E6%BC%8F%E6%B4%9E%E6%8A%A5%E5%91%8A/dcme-all-series-rcessix-one •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11971 – Guizhou Xiaoma Technology jpress Avatar upload cross site scripting
https://notcve.org/view.php?id=CVE-2024-11971
28 Nov 2024 — A vulnerability classified as problematic was found in Guizhou Xiaoma Technology jpress 5.1.2. Affected by this vulnerability is an unknown functionality of the file /commons/attachment/upload of the component Avatar Handler. The manipulation of the argument files leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/dycccccccc/jpress/blob/main/JPRESS%20file%20upload%20leads%20to%20code%20execution.docx • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52338 – Apache Arrow R package: Arbitrary code execution when loading a malicious data file
https://notcve.org/view.php?id=CVE-2024-52338
28 Nov 2024 — Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. ... Deserialization of untrusted data in IPC and Parquet readers in the Apache Arrow R package versions 4.0.0 through 16.1.0 allows arbitrary code execution. • https://github.com/apache/arrow/commit/801de2fbcf5bcbce0c019ed4b35ff3fc863b141b • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11969 – Incorrect default permissions in Cradlepoint NetCloud Exchange
https://notcve.org/view.php?id=CVE-2024-11969
28 Nov 2024 — A normal (non-admin) user could exploit the weakness in file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. • https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-default-permissions-cradlepoint-netcloud-exchange • CWE-276: Incorrect Default Permissions •