CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0714 – Metform Elementor Contact Form Builder <= 3.2.4 - Unauthenticated Double-Extension Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-0714
This allows unauthenticated visitors to perform a "double extension" attack and upload files containing a malicious extension but ending with a benign extension, which may make remote code execution possible in some configurations. • https://plugins.trac.wordpress.org/browser/metform/trunk/core/entries/file-data-validation.php?rev=2746287 https://plugins.trac.wordpress.org/changeset/2896914 https://www.wordfence.com/threat-intel/vulnerabilities/id/697ce433-f321-4977-a2ad-68369d9ce9c3?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-22219
https://notcve.org/view.php?id=CVE-2024-22219
XML External Entity (XXE) vulnerability in Terminalfour 8.0.0001 through 8.3.18 and XML JDBC versions up to 1.0.4 allows authenticated users to submit malicious XML via unspecified features which could lead to various actions such as accessing the underlying server, remote code execution (RCE), or performing Server-Side Request Forgery (SSRF) attacks. • https://docs.terminalfour.com/articles/release-notes-highlights https://docs.terminalfour.com/release-notes/security-notices/cve-2024-22218--cve-2024-22219 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-42678
https://notcve.org/view.php?id=CVE-2024-42678
Cross Site Scripting vulnerability in Super easy enterprise management system v.1.0.0 and before allows a local attacker to execute arbitrary code via a crafted script to the /WebSet/DlgGridSet.html component. • https://github.com/WarmBrew/web_vul/blob/main/CYGLXT/CYxss.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-27730
https://notcve.org/view.php?id=CVE-2024-27730
Insecure Permissions vulnerability in Friendica v.2023.12 allows a remote attacker to obtain sensitive information and execute arbitrary code via the cid parameter of the calendar event feature. • https://leo.oliver.nz/posts/2024/05/friendica-cve-disclosures https://github.com/friendica/friendica/pull/13927 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-42676
https://notcve.org/view.php?id=CVE-2024-42676
File Upload vulnerability in Huizhi enterprise resource management system v.1.0 and before allows a remote attacker to execute arbitrary code via the /nssys/common/Upload. • https://github.com/WarmBrew/web_vul/blob/main/HZ-cve/HZupload.md • CWE-434: Unrestricted Upload of File with Dangerous Type •