CVSS: 6.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50965
https://notcve.org/view.php?id=CVE-2024-50965
22 Nov 2024 — Cross Site Scripting vulnerability in Public Knowledge Project PKP Platform OJS/OMP/OPS- before v.3.3.0.16 allows an attacker to execute arbitrary code and escalate privileges via a crafted script • https://openjournaltheme.com/urgent-critical-vulnerabilities-in-3-3-0-18-upgrade-your-ojs-now • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9659 – School Management <= 91.5.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9659
22 Nov 2024 — The School Management System for Wordpress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the mj_smgt_user_avatar_image_upload() function in all versions up to, and including, 91.5.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/zetraxz/CVE-2024-9659 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52052 – Stream Target Remote Code Execution in Wowza Streaming Engine
https://notcve.org/view.php?id=CVE-2024-52052
21 Nov 2024 — Wowza Streaming Engine below 4.9.1 permits an authenticated Streaming Engine Manager administrator to define a custom application property and poison a stream target for high-privilege remote code execution. • https://www.rapid7.com/blog/post/2024/11/20/multiple-vulnerabilities-in-wowza-streaming-engine-fixed • CWE-646: Reliance on File Name or Extension of Externally-Supplied File •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53095 – smb: client: Fix use-after-free of network namespace.
https://notcve.org/view.php?id=CVE-2024-53095
21 Nov 2024 — Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. Also, maybe_get_net() cannot be put just before __sock_create() because the code is not under RCU and there is a small chance that the same address happened to be reallocated to another netns. [0]: CIFS: VFS: \\XXXXXXXXXXX has not responded in 15 seconds. ... • https://git.kernel.org/stable/c/26abe14379f8e2fa3fd1bcf97c9a7ad9364886fe • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-53093 – nvme-multipath: defer partition scanning
https://notcve.org/view.php?id=CVE-2024-53093
21 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/60de2e03f984cfbcdc12fa552f95087c35a05a98 •
CVSS: -EPSS: 0%CPEs: 3EXPL: 0CVE-2024-53091 – bpf: Add sk_is_inet and IS_ICSK check in tls_sw_has_ctx_tx/rx
https://notcve.org/view.php?id=CVE-2024-53091
21 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/94531cfcbe79c3598acf96806627b2137ca32eb9 •
CVSS: -EPSS: 0%CPEs: 2EXPL: 0CVE-2024-53089 – LoongArch: KVM: Mark hrtimer to expire in hard interrupt context
https://notcve.org/view.php?id=CVE-2024-53089
21 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/fa96b57c149061f71a70bd6582d995f6424fbbf4 •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52799 – Argo Workflows Chart: Excessive Privileges in Workflow Role
https://notcve.org/view.php?id=CVE-2024-52799
21 Nov 2024 — Prior to 0.44.0, the workflow-role has excessive privileges, the worst being create pods/exec, which will allow kubectl exec into any Pod in the same namespace, i.e. arbitrary code execution within those Pods. • https://github.com/argoproj/argo-helm/security/advisories/GHSA-fgrf-2886-4q7m • CWE-250: Execution with Unnecessary Privileges CWE-1220: Insufficient Granularity of Access Control •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11587 – idcCMS classProvCity.php GetCityOptionJs cross site scripting
https://notcve.org/view.php?id=CVE-2024-11587
21 Nov 2024 — A vulnerability was found in idcCMS 1.60. It has been classified as problematic. This affects the function GetCityOptionJs of the file /inc/classProvCity.php. The manipulation of the argument idName leads to cross site scripting. It is possible to initiate the attack remotely. • https://vuldb.com/?id.285657 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 2%CPEs: 1EXPL: 2CVE-2024-11320 – Command Injection leading to RCE via LDAP Misconfiguration
https://notcve.org/view.php?id=CVE-2024-11320
21 Nov 2024 — Arbitrary commands execution on the server by exploiting a command injection vulnerability in the LDAP authentication mechanism. • https://packetstorm.news/files/id/183465 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •