CVE-2024-7258 – WooCommerce Google Feed Manager <= 2.8.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-7258
This makes it possible for authenticated attackers, with Contributor-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://plugins.trac.wordpress.org/browser/wp-product-feed-manager/trunk/includes/data/js/wppfm_ajaxdatahandling.js#L537 https://plugins.trac.wordpress.org/browser/wp-product-feed-manager/trunk/includes/data/js/wppfm_ajaxdatahandling.js#L546 https://plugins.trac.wordpress.org/browser/wp-product-feed-manager/trunk/includes/data/js/wppfm_ajaxdatahandling.js#L575 https://plugins.trac.wordpress.org/changeset/3137475 https://www.wordfence.com/threat-intel/vulnerabilities/id/ffd6e18d-9173-4911-af64-5d54c6d2e052?source=cve • CWE-862: Missing Authorization •
CVE-2024-7559 – File Manager Pro <= 8.3.7 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7559
This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://filemanagerpro.io/file-manager-pro https://www.wordfence.com/threat-intel/vulnerabilities/id/f4b45791-4b85-4a2d-8019-1d438bd694cb?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-5581 – Allegra unzipFile Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-5581
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Allegra. ... An attacker can leverage this vulnerability to execute code in the context of LOCAL SERVICE. •
CVE-2024-7987 – Rockwell Automation ThinManager® ThinServerâ„¢ Information Disclosure and Remote Code Execution Vulnerabilities
https://notcve.org/view.php?id=CVE-2024-7987
A remote code execution vulnerability exists in the Rockwell Automation ThinManager® ThinServerâ„¢ that allows a threat actor to execute arbitrary code with System privileges. ... An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the ThinServer service which listens on TCP port 2031 by default. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1692.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-45169
https://notcve.org/view.php?id=CVE-2024-45169
Due to improper input validation, improper deserialization, and improper restriction of operations within the bounds of a memory buffer, IDOL2 is vulnerable to Denial-of-Service (DoS) attacks and possibly remote code execution via the \xB0\x00\x3c byte sequence. • http://download.uci.de/idol2/idol2Client_2_12.exe https://uci.de/download/idol2-client.html https://uci.de/products/index.html https://www.syss.de/en/responsible-disclosure-policy https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-052.txt • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •