CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-27217 – MSDP has a use after free vulnerability
https://notcve.org/view.php?id=CVE-2024-27217
07 May 2024 — in OpenHarmony v4.0.0 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. • https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2024/2024-05.md • CWE-416: Use After Free •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4038 – Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro <= 5.3.1 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-4038
07 May 2024 — The The Back In Stock Notifier for WooCommerce | WooCommerce Waitlist Pro plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.3.1. This is due to the plugin for WordPress allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. El complemento The Back In Stock Notifier for WooCommerce | WooCommerce Waitlist... • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3080830%40back-in-stock-notifier-for-woocommerce&new=3080830%40back-in-stock-notifier-for-woocommerce&sfp_email=&sfph_mail= • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4135 – WP Latest Posts <= 5.0.7 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-4135
07 May 2024 — The WP Latest Posts plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.0.7. This is due to the plugin allowing users to execute an action that does not properly validate a user-supplied value prior to using that value in a call to do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. El complemento WP Latest Posts para WordPress es vulnerable a la ejecución arbitraria de códigos cortos en todas las version... • https://plugins.trac.wordpress.org/changeset/3081119/wp-latest-posts • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-30973
https://notcve.org/view.php?id=CVE-2024-30973
06 May 2024 — An issue in V-SOL G/EPON ONU HG323AC-B with firmware version V2.0.08-210715 allows an attacker to execute arbtirary code and obtain sensitive information via crafted POST request to /boaform/getASPdata/formFirewall, /boaform/getASPdata/formAcc. Un problema en V-SOL G/EPON ONU HG323AC-B con la versión de firmware V2.0.08-210715 permite a un atacante ejecutar código arbitrario y obtener información confidencial a través de una solicitud POST manipulada para /boaform/getASPdata/formFirewall, /boaform/getASPdat... • https://github.com/Athos-Zago/CVE-2024-30973 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33294
https://notcve.org/view.php?id=CVE-2024-33294
06 May 2024 — An issue in Library System using PHP/MySQli with Source Code V1.0 allows a remote attacker to execute arbitrary code via the _FAILE variable in the student_edit_photo.php component. Un problema en el sistema de librería que usa PHP/MySQli con Source Code V1.0 permite a un atacante remoto ejecutar código arbitrario a través de la variable _FAILE en el componente Student_edit_photo.php. • https://github.com/CveSecLook/cve/issues/16 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-27281 – ruby: RCE vulnerability with .rdoc_options in RDoc
https://notcve.org/view.php?id=CVE-2024-27281
06 May 2024 — An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) The main fixed version is 6.6.3.1. For Ruby 3.0 users, a fixed... • https://hackerone.com/reports/1187477 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32986 – Arbitrary code execution due to improper sanitization of web app properties in PWAsForFirefox
https://notcve.org/view.php?id=CVE-2024-32986
03 May 2024 — PWAsForFirefox is a tool to install, manage and use Progressive Web Apps (PWAs) in Mozilla Firefox. Due to improper sanitization of web app properties (such as name, description, shortcuts), web apps were able to inject additional lines into XDG Desktop Entries (on Linux) and `AppInfo.ini` (on PortableApps.com). This allowed malicious web apps to introduce keys like `Exec`, which could run arbitrary code when the affected web app was launched. This vulnerability affects all Linux and PortableApps.com users ... • https://github.com/filips123/PWAsForFirefox/commit/9932d4b289631d447f88ace09a2fabafe4cd5bd5 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34062 – tqdm CLI arguments injection attack
https://notcve.org/view.php?id=CVE-2024-34062
03 May 2024 — `--delim`, `--buf-size`, `--manpath`) are passed through python's `eval`, allowing arbitrary code execution. • https://github.com/tqdm/tqdm/commit/4e613f84ed2ae029559f539464df83fa91feb316 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35701 – Apache Hive: Arbitrary command execution via JDBC driver
https://notcve.org/view.php?id=CVE-2023-35701
03 May 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Hive. The vulnerability affects the Hive JDBC driver component and it can potentially lead to arbitrary code execution on the machine/endpoint that the JDBC driver (client) is running. • http://www.openwall.com/lists/oss-security/2024/05/03/3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34434 – WordPress MDTF – Meta Data and Taxonomies Filter plugin <= 1.3.3.2 - Arbitrary Shortcode Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-34434
03 May 2024 — Incorrect Authorization vulnerability in realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) allows Code Inclusion, Functionality Misuse.This issue affects WordPress Meta Data and Taxonomies Filter (MDTF): from n/a through 1.3.3.2. Vulnerabilidad de autorización incorrecta en realmag777 WordPress Meta Data and Taxonomies Filter (MDTF) permite la inclusión de código y el uso indebido de funcionalidad. Este problema afecta a WordPress Meta Data and Taxonomies Filter (MDTF): desde n/a hasta 1.3.3.2. Th... • https://patchstack.com/database/vulnerability/wp-meta-data-filter-and-taxonomy-filter/wordpress-mdtf-meta-data-and-taxonomies-filter-plugin-1-3-3-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-863: Incorrect Authorization •