CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30279 – ZDI-CAN-22887: Adobe Acrobat Reader DC JPEG2000 File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-30279
22 May 2024 — Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/acrobat/apsb24-29.html • CWE-787: Out-of-bounds Write •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-34240
https://notcve.org/view.php?id=CVE-2024-34240
21 May 2024 — QDOCS Smart School 7.0.0 is vulnerable to Cross Site Scripting (XSS) resulting in arbitrary code execution in admin functions related to adding or updating records. • https://grumpz.net/cve-2024-34240-latest-stored-xss-0day-vulnerability-unveiled • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 4CVE-2024-22274
https://notcve.org/view.php?id=CVE-2024-22274
21 May 2024 — The vCenter Server contains an authenticated remote code execution vulnerability. A malicious actor with administrative privileges on the vCenter appliance shell may exploit this issue to run arbitrary commands on the underlying operating system. vCenter Server contiene una vulnerabilidad de ejecución remota de código autenticado. Un actor malintencionado con privilegios administrativos en el shell del dispositivo vCenter puede aprovechar este problema para ejecutar comandos arbitrarios en el sistema operat... • https://github.com/mbadanoiu/CVE-2024-22274 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-34724 – PowerVR _UnrefAndMaybeDestroy() Use-After-Free
https://notcve.org/view.php?id=CVE-2024-34724
21 May 2024 — In _UnrefAndMaybeDestroy of pmr.c, there is a possible arbitrary code execution due to a race condition. • https://packetstorm.news/files/id/178647 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4261 – Responsive Contact Form Builder & Lead Generation Plugin <= 1.9.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-4261
21 May 2024 — The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes. El complemento Responsive Contact Form Builder & Lead Generation Plugin para... • https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/block/app.php#L24 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-31335 – PowerVR DevmemIntChangeSparse2() Dangling Page Table Entry
https://notcve.org/view.php?id=CVE-2024-31335
21 May 2024 — In DevmemIntChangeSparse2 of devicemem_server.c, there is a possible arbitrary code execution due to a logic error in the code. • https://packetstorm.news/files/id/178648 • CWE-783: Operator Precedence Logic Error •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-24294
https://notcve.org/view.php?id=CVE-2024-24294
20 May 2024 — A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js. Un problema de contaminación de prototipos en Blackprint @blackprint/engine v.0.9.0 permite a un atacante ejecutar código arbitrario a través de la función _utils.setDeepProperty de Engine.min.js. • https://gist.github.com/mestrtee/d1eb6e1f7c6dd60d8838c3e56cab634d • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-36078
https://notcve.org/view.php?id=CVE-2024-36078
19 May 2024 — In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user). En Zammad anterior a 6.3.1, se instala una gema Ruby incluida en Zammad con permisos de archivos de escritura mundial. Esto permitió a un atacante local en el servidor modificar los archivos de la gema, inyectando código ... • https://zammad.com/en/advisories/zaa-2024-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4264 – Remote Code Execution in berriai/litellm
https://notcve.org/view.php?id=CVE-2024-4264
18 May 2024 — A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings ... • https://huntr.com/bounties/a3221b0c-6e25-4295-ab0f-042997e8fc61 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.3EPSS: 0%CPEs: -EXPL: 1CVE-2024-31974
https://notcve.org/view.php?id=CVE-2024-31974
17 May 2024 — The com.solarized.firedown (aka Solarized FireDown Browser & Downloader) application 1.0.76 for Android allows a remote attacker to execute arbitrary JavaScript code via a crafted intent. com.solarized.firedown.IntentActivity uses a WebView component to display web content and doesn't adequately sanitize the URI or any extra data passed in the intent by any installed application (with no permissions). La aplicación com.solarized.firedown (también conocida como Solarized FireDown Browser & Downloader) ve... • https://github.com/actuator/com.solarized.firedown • CWE-94: Improper Control of Generation of Code ('Code Injection') •