CVE-2024-28179 – Jupyter Server Proxy's Websocket Proxying does not require authentication
https://notcve.org/view.php?id=CVE-2024-28179
In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. • https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433 https://github.com/jupyterhub/jupyter-server-proxy/commit/764e499f61a87641916a7a427d4c4b1ac3f321a9 https://github.com/jupyterhub/jupyter-server-proxy/commit/bead903b7c0354b6efd8b4cde94b89afab653e03 https://github.com/jupyterhub/jupyter-server-proxy/security/advisories/GHSA-w3vc-fx9p-wp4v • CWE-306: Missing Authentication for Critical Function •
CVE-2024-28396
https://notcve.org/view.php?id=CVE-2024-28396
An issue in MyPrestaModules ordersexport v.6.0.2 and before allows a remote attacker to execute arbitrary code via the download.php component. • https://addons.prestashop.com/en/data-import-export/17596-orders-csv-excel-export-pro.html https://security.friendsofpresta.org/modules/2024/03/14/ordersexport.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-29027 – Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
https://notcve.org/view.php?id=CVE-2024-29027
Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. • https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b https://github.com/parse-community/parse-server/commit/9f6e3429d3b326cf4e2994733c618d08032fac6e https://github.com/parse-community/parse-server/releases/tag/6.5.5 https://github.com/parse-community/parse-server/releases/tag/7.0.0-alpha.29 https://github.com/parse-community/parse-server/security/advisories/GHSA-6hh7-46r2-vf29 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2024-26064 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-26064
This could result in arbitrary code execution in the context of the victim's browser. • https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-26044 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-26044
This could result in arbitrary code execution in the context of the victim's browser. • https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •