CVE-2024-6386 – WPML Multilingual CMS <= 4.6.12 - Authenticated(Contributor+) Remote Code Execution via Twig Server-Side Template Injection
https://notcve.org/view.php?id=CVE-2024-6386
The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via the Twig Server-Side Template Injection. ... This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The WPML plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.6.12 via Twig Server-Side Template Injection. ... This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. • https://github.com/realbotnet/CVE-2024-6386 https://github.com/argendo/CVE-2024-6386 https://sec.stealthcopter.com/wpml-rce-via-twig-ssti https://wpml.org https://www.wordfence.com/threat-intel/vulnerabilities/id/f7fc91cc-e529-4362-8269-bf7ee0766e1e? • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-7013
https://notcve.org/view.php?id=CVE-2024-7013
Stack-based buffer overflow in Control FPWIN Pro version 7.7.2.0 and all previous versions may allow attackers to execute arbitrary code via a specially crafted project file. • https://industry.panasonic.com/jp/ja/products/fasys/plc/software/fpwinpro7 https://industry.panasonic.eu/products/automation-devices-solutions/programmable-logic-controllers-plc/plc-software/programming-software-control-fpwin-pro • CWE-121: Stack-based Buffer Overflow •
CVE-2024-41572
https://notcve.org/view.php?id=CVE-2024-41572
Remote attackers can inject JavaScript code without authorization. Exploiting this vulnerability, attackers can steal user credentials or execute actions such as injecting malicious scripts or redirecting users to malicious sites. • https://medium.com/%40ChadSecurity/cve-2024-41572-68397fae354b •
CVE-2024-42779
https://notcve.org/view.php?id=CVE-2024-42779
This allows attackers to execute arbitrary code via uploading a crafted PHP file. • https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Unrestricted%20File%20Upload%20-%20Add%20New%20Music%20List.pdf https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-42781
https://notcve.org/view.php?id=CVE-2024-42781
A SQL injection vulnerability in "/music/ajax.php?action=login" of Kashipara Music Management System v1.0 allows remote attackers to execute arbitrary SQL commands and bypass Login via the email parameter. • https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/SQL%20Injection%20-%20Login.pdf https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •