CVSS: 8.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-52899 – IBM Data Virtualization Manager code execution
https://notcve.org/view.php?id=CVE-2024-52899
26 Nov 2024 — IBM Data Virtualization Manager for z/OS 1.1 and 1.2 could allow an authenticated user to inject malicious JDBC URL parameters and execute code on the server. • https://www.ibm.com/support/pages/node/7177091 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11676 – CodeAstro Hospital Management System Add Laboratory Equipment Page his_admin_add_lab_equipment.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11676
26 Nov 2024 — A vulnerability was found in CodeAstro Hospital Management System 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /backend/admin/his_admin_add_lab_equipment.php of the component Add Laboratory Equipment Page. The manipulation of the argument eqp_code/eqp_name/eqp_vendor/eqp_desc/eqp_dept/eqp_status/eqp_qty leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://codeastro.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11675 – CodeAstro Hospital Management System Add Patient Details Page his_admin_register_patient.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11675
26 Nov 2024 — A vulnerability has been found in CodeAstro Hospital Management System 1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /backend/admin/his_admin_register_patient.php of the component Add Patient Details Page. The manipulation of the argument pat_fname/pat_ailment/pat_lname/pat_age/pat_dob/pat_number/pat_phone/pat_type/pat_addr leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be us... • https://codeastro.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53555
https://notcve.org/view.php?id=CVE-2024-53555
26 Nov 2024 — A CSV injection vulnerability in Taiga v6.8.1 allows attackers to execute arbitrary code via uploading a crafted CSV file. • https://drive.google.com/file/d/1M4UjoTUqlPWLYjevCuE3WhdUqQkRj0-r/view?usp=drive_link • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53619
https://notcve.org/view.php?id=CVE-2024-53619
26 Nov 2024 — An authenticated arbitrary file upload vulnerability in the Documents module of SPIP v4.3.3 allows attackers to execute arbitrary code via uploading a crafted PDF file. • https://grimthereaperteam.medium.com/spip-4-3-3-malicious-file-upload-xss-in-pdf-526c03bb1776 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53100 – nvme: tcp: avoid race between queue_lock lock and destroy
https://notcve.org/view.php?id=CVE-2024-53100
25 Nov 2024 — = lock) WARNING: CPU: 3 PID: 34077 at kernel/locking/mutex.c:587 __mutex_lock+0xcf0/0x1220 Modules linked in: nvmet_tcp nvmet nvme_tcp nvme_fabrics iw_cm ib_cm ib_core pktcdvd nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set nf_tables qrtr sunrpc ppdev 9pnet_virtio 9pnet pcspkr netfs parport_pc parport e1000 i2c_piix4 i2c_smbus loop fuse nfnetlink zram bochs drm_vram_helper dr... • https://git.kernel.org/stable/c/4f946479b326a3cbb193f2b8368aed9269514c35 •
CVSS: 7.1EPSS: 0%CPEs: 6EXPL: 0CVE-2024-53099 – bpf: Check validity of link->type in bpf_link_show_fdinfo()
https://notcve.org/view.php?id=CVE-2024-53099
25 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/79f87a6ec39fb5968049a6775a528bf58b25c20a •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53098 – drm/xe/ufence: Prefetch ufence addr to catch bogus address
https://notcve.org/view.php?id=CVE-2024-53098
25 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/dd08ebf6c3525a7ea2186e636df064ea47281987 •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53268 – Lack of validation on openExternal allows 1 click remote code execution in joplin
https://notcve.org/view.php?id=CVE-2024-53268
25 Nov 2024 — In affected versions attackers are able to abuse the fact that openExternal is used without any filtering of URI schemes to obtain remote code execution in Windows environments. • https://github.com/laurent22/joplin/security/advisories/GHSA-pc5v-xp44-5mgv • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11002 – InPost Gallery <= 2.1.4.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via inpost_gallery_get_shortcode_template
https://notcve.org/view.php?id=CVE-2024-11002
25 Nov 2024 — The The InPost Gallery plugin for WordPress is vulnerable to arbitrary shortcode execution via the inpost_gallery_get_shortcode_template AJAX action in all versions up to, and including, 2.1.4.2. ... This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/inpost-gallery/trunk/index.php#L323 • CWE-94: Improper Control of Generation of Code ('Code Injection') •