CVSS: 9.8EPSS: 0%CPEs: -EXPL: 2CVE-2024-31819 – AVideo WWBNIndex Plugin Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-31819
An issue in WWBN AVideo v.12.4 through v.14.2 allows a remote attacker to execute arbitrary code via the systemRootPath parameter of the submitIndex.php component. Un problema en WWBN AVideo v.12.4 a v.14.2 permite a un atacante remoto ejecutar código arbitrario a través del parámetro systemRootPath del componente submitIndex.php. • https://github.com/Chocapikk/CVE-2024-31819 https://github.com/Jhonsonwannaa/CVE-2024-31819 https://chocapikk.com/posts/2024/cve-2024-31819 https://github.com/WWBN https://github.com/WWBN/AVideo • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-26362
https://notcve.org/view.php?id=CVE-2024-26362
HTML injection vulnerability in Enpass Password Manager Desktop Client 6.9.2 for Windows and Linux allows attackers to run arbitrary HTML code via creation of crafted note. Vulnerabilidad de inyección de HTML en Enpass Password Manager Desktop Client 6.9.2 para Windows y Linux permite a los atacantes ejecutar código HTML arbitrario mediante la creación de una nota manipulada. • https://packetstormsecurity.com/files/177075/Enpass-Desktop-Application-6.9.2-HTML-Injection.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.2EPSS: 0%CPEs: -EXPL: 1CVE-2024-3446 – Qemu: virtio: dma reentrancy issue leads to double free vulnerability
https://notcve.org/view.php?id=CVE-2024-3446
This issue could allow a malicious privileged guest user to crash the QEMU process on the host, resulting in a denial of service or allow arbitrary code execution within the context of the QEMU process on the host. • https://github.com/Toxich4/CVE-2024-34469 https://access.redhat.com/security/cve/CVE-2024-3446 https://bugzilla.redhat.com/show_bug.cgi?id=2274211 https://patchew.org/QEMU/20240409105537.18308-1-philmd@linaro.org https://access.redhat.com/errata/RHSA-2024:6964 • CWE-415: Double Free •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31457 – gin-vue-admin background arbitrary code coverage vulnerability
https://notcve.org/view.php?id=CVE-2024-31457
gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. gin-vue-admin pseudoversion 0.0.0-20240407133540-7bc7c3051067, corresponding to version 2.6.1, has a code injection vulnerability in the backend. • https://github.com/flipped-aurora/gin-vue-admin/commit/b1b7427c6ea6c7a027fa188c6be557f3795e732b https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-gv3w-m57p-3wc4 https://pkg.go.dev/github.com/flipped-aurora/gin-vue-admin/server?tab=versions • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31866 – Apache Zeppelin: Interpreter download command does not escape malicious code injection
https://notcve.org/view.php?id=CVE-2024-31866
Improper Encoding or Escaping of Output vulnerability in Apache Zeppelin. The attackers can execute shell scripts or malicious code by overriding configuration like ZEPPELIN_INTP_CLASSPATH_OVERRIDES. This issue affects Apache Zeppelin: from 0.8.2 before 0.11.1. Users are recommended to upgrade to version 0.11.1, which fixes the issue. Vulnerabilidad de codificación o escape de salida inadecuados en Apache Zeppelin. Los atacantes pueden ejecutar scripts de shell o código malicioso anulando configuraciones como ZEPPELIN_INTP_CLASSPATH_OVERRIDES. Este problema afecta a Apache Zeppelin: desde 0.8.2 antes de 0.11.1. Se recomienda a los usuarios actualizar a la versión 0.11.1, que soluciona el problema. • http://www.openwall.com/lists/oss-security/2024/04/09/10 https://github.com/apache/zeppelin/pull/4715 https://lists.apache.org/thread/jpkbq3oktopt34x2n5wnhzc2r1410ddd • CWE-116: Improper Encoding or Escaping of Output •