CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-55877 – XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
https://notcve.org/view.php?id=CVE-2024-55877
Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. • https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c https://jira.xwiki.org/browse/XWIKI-22030 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-55662 – XWiki allows remote code execution through the extension sheet
https://notcve.org/view.php?id=CVE-2024-55662
XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. This vulnerability has been fixed in XWiki 15.10.9 and 16.3.0. Since `Extension Repository Application` is not mandatory, it can be safely disabled on instances that do not use it as a workaround. It is also possible to manually apply the patches from commit 8659f17d500522bf33595e402391592a35a162e8 to the page `ExtensionCode.ExtensionSheet` and to the page `ExtensionCode.ExtensionAuthorsDisplayer`. • https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5 https://jira.xwiki.org/browse/XWIKI-21890 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-863: Incorrect Authorization •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21575
https://notcve.org/view.php?id=CVE-2024-21575
This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE). • https://github.com/ltdrdata/ComfyUI-Impact-Pack/blob/1087f2ee063c9d53cd198add79b41a7a3465c05a/modules/impact/impact_server.py#L28 https://github.com/ltdrdata/ComfyUI-Impact-Pack/commit/a43dae373e648ae0f0cc0c9768c3cea6a72acff7 • CWE-35: Path Traversal: '.../ •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21574
https://notcve.org/view.php?id=CVE-2024-21574
This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server. ... Esto permite que un atacante cree una solicitud que active una instalación de pip en un paquete o URL controlados por el usuario, lo que da como resultado una ejecución de código remoto (RCE) en el servidor. • https://github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3e5acc1c404773a0510e6d055a6a72b0e/glob/manager_server.py#L798 https://github.com/ltdrdata/ComfyUI-Manager/commit/ffc095a3e5acc1c404773a0510e6d055a6a72b0e • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54810
https://notcve.org/view.php?id=CVE-2024-54810
A SQL Injection vulnerability was found in /preschool/admin/password-recovery.php in PHPGurukul Pre-School Enrollment System Project v1.0, which allows remote attackers to execute arbitrary code via the mobileno parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Pre-School%20Enrollment/SQL%20Injection%20pre-school%20pa.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •