CVSS: 7.6EPSS: 0%CPEs: -EXPL: 1CVE-2024-29399
https://notcve.org/view.php?id=CVE-2024-29399
11 Apr 2024 — An issue was discovered in GNU Savane v.3.13 and before, allows a remote attacker to execute arbitrary code and escalate privileges via a crafted file to the upload.php component. Se descubrió un problema en GNU Savane v.3.13 y anteriores que permite a un atacante remoto ejecutar código arbitrario y escalar privilegios a través de un archivo manipulado al componente upload.php. • https://github.com/ally-petitt/CVE-2024-29399 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22722
https://notcve.org/view.php?id=CVE-2024-22722
11 Apr 2024 — Server Side Template Injection (SSTI) vulnerability in Form Tools 3.1.1 allows attackers to run arbitrary commands via the Group Name field under the add forms section of the application. Vulnerabilidad de Server Side Template Injection (SSTI) en Form Tools 3.1.1 permite a los atacantes ejecutar comandos arbitrarios a través del campo Nombre de grupo en la sección Agregar formularios de la aplicación. • https://hakaisecurity.io/error-404-your-security-not-found-tales-of-web-vulnerabilities • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30878
https://notcve.org/view.php?id=CVE-2024-30878
11 Apr 2024 — A cross-site scripting (XSS) vulnerability in RageFrame2 v2.6.43, allows remote attackers to execute arbitrary web scripts or HTML and obtain sensitive information via a crafted payload injected into the upload_drive parameter. Vulnerabilidad decross-site scripting (XSS) en RageFrame2 v2.6.43 permite a atacantes remotos ejecutar scripts web o HTML arbitrarios y obtener información confidencial a través de un payload manipulado inyectado en el parámetro upload_drive. • https://github.com/jianyan74/rageframe2/issues/111 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-25376
https://notcve.org/view.php?id=CVE-2024-25376
11 Apr 2024 — An issue discovered in Thesycon Software Solutions Gmbh & Co. KG TUSBAudio MSI-based installers before 5.68.0 allows a local attacker to execute arbitrary code via the msiexec.exe repair mode. Un problema descubierto en los instaladores basados en MSI de Thesycon Software Solutions Gmbh & Co. KG TUSBAudio anteriores a 5.68.0 permite a un atacante local ejecutar código arbitrario a través del modo de reparación msiexec.exe. • https://github.com/ewilded/CVE-2024-25376-POC • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2195 – Remote Code Execution in aimhubio/aim
https://notcve.org/view.php?id=CVE-2024-2195
10 Apr 2024 — A critical Remote Code Execution (RCE) vulnerability was identified in the aimhubio/aim project, specifically within the `/api/runs/search/run/` endpoint, affecting versions >= 3.0.0. The vulnerability resides in the `run_search_api` function of the `aim/web/api/runs/views.py` file, where improper restriction of user access to the `RunView` object allows for the execution of arbitrary code via the `query` parameter. This issue enables attackers to execute arbitrary commands on the server, potentially leadin... • https://huntr.com/bounties/22f2355e-b875-4c01-b454-327e5951c018 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3098 – Prompt Injection leading to Arbitrary Code Execution in run-llama/llama_index
https://notcve.org/view.php?id=CVE-2024-3098
10 Apr 2024 — A vulnerability was identified in the `exec_utils` class of the `llama_index` package, specifically within the `safe_eval` function, allowing for prompt injection leading to arbitrary code execution. • https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-3568 – Arbitrary Code Execution via Deserialization in huggingface/transformers
https://notcve.org/view.php?id=CVE-2024-3568
10 Apr 2024 — The huggingface/transformers library is vulnerable to arbitrary code execution through deserialization of untrusted data within the `load_repo_checkpoint()` function of the `TFPreTrainedModel()` class. • https://github.com/huggingface/transformers/commit/693667b8ac8138b83f8adb6522ddaf42fa07c125 • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-20772 – Adobe Media Encoder 2024 AI file parsing Stack based buffer overflow
https://notcve.org/view.php?id=CVE-2024-20772
10 Apr 2024 — Media Encoder versions 24.2.1, 23.6.4 and earlier are affected by a Stack-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/media-encoder/apsb24-23.html • CWE-121: Stack-based Buffer Overflow •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-20758 – [Adobe Cloud] RCE through frontend gift registry sharing
https://notcve.org/view.php?id=CVE-2024-20758
10 Apr 2024 — Adobe Commerce versions 2.4.6-p4, 2.4.5-p6, 2.4.4-p7, 2.4.7-beta3 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/magento/apsb24-18.html • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-27476
https://notcve.org/view.php?id=CVE-2024-27476
10 Apr 2024 — Leantime 3.0.6 is vulnerable to HTML Injection via /dashboard/show#/tickets/newTicket. Leantime 3.0.6 es vulnerable a la inyección de HTML a través de /dashboard/show#/tickets/newTicket. • https://github.com/dead1nfluence/Leantime-POC • CWE-94: Improper Control of Generation of Code ('Code Injection') •