CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-46640
https://notcve.org/view.php?id=CVE-2024-46640
SeaCMS 13.2 has a remote code execution vulnerability located in the file sql.class.chp. Although the system has a check function, the check function is not executed during execution, allowing remote code execution by writing to the file through the MySQL slow query method. • https://gitee.com/zheng_botong/CVE-2024-46640 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-42697
https://notcve.org/view.php?id=CVE-2024-42697
Cross Site Scripting vulnerability in Leotheme Leo Product Search Module v.2.1.6 and earlier allows a remote attacker to execute arbitrary code via the q parameter of the product search function. • https://github.com/JustDinooo/CVEs/blob/main/CVE-2024-42697/poc.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-37879
https://notcve.org/view.php?id=CVE-2024-37879
Improper input validation in /admin/config/save in User-friendly SVN (USVN) before v1.0.12 and below allows administrators to execute arbitrary code via the fields "siteTitle", "siteIco" and "siteLogo". • https://www.usvn.info/news.html https://github.com/usvn/usvn/commit/6b4678954fca9635154743b95ff9c8947cf5f46f https://github.com/usvn/usvn/releases/tag/1.0.12 https://www.usvn.info/2024/06/09/usvn-1.0.12 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-45489
https://notcve.org/view.php?id=CVE-2024-45489
Arc before 2024-08-26 allows remote code execution in JavaScript boosts. ... This installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. • https://kibty.town/blog/arc https://news.ycombinator.com/item?id=41597250 https://arc.net/blog/CVE-2024-45489-incident-response • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46983 – Remote Command Execution(RCE) Vulnerbility in sofa-hessian
https://notcve.org/view.php?id=CVE-2024-46983
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory `external/serialize.blacklist`. • https://github.com/sofastack/sofa-hessian/security/advisories/GHSA-c459-2m73-67hj • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •