CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29864 – Gentoo Linux Security Advisory 202412-18
https://notcve.org/view.php?id=CVE-2024-29864
21 Mar 2024 — A vulnerability has been discovered in Distrobox, which can lead to arbitrary code execution. • https://github.com/89luca89/distrobox/commit/82a69f0a234e73e447d0ea8c8b3443b84fd31944 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-22724
https://notcve.org/view.php?id=CVE-2024-22724
21 Mar 2024 — An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrary code via administrator profile photo upload feature. Se descubrió un problema en osCommerce v4 que permite a atacantes locales eludir las restricciones de carga de archivos y ejecutar código arbitrario a través de la función de carga de fotos de perfil del administrador. • https://github.com/osCommerce/osCommerce-V4/issues/62 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-2469 – Remote Code Execution in GitHub Enterprise Server Allowed Administrators to gain SSH access to the appliance
https://notcve.org/view.php?id=CVE-2024-2469
20 Mar 2024 — An attacker with an Administrator role in GitHub Enterprise Server could gain SSH root access via remote code execution. This vulnerability affected GitHub Enterprise Server version 3.8.0 and above and was fixed in version 3.8.17, 3.9.12, 3.10.9, 3.11.7 and 3.12.1. This vulnerability was reported via the GitHub Bug Bounty program. Un atacante con función de administrador en GitHub Enterprise Server podría obtener acceso raíz SSH mediante la ejecución remota de código. Esta vulnerabilidad afectó a GitHub Ent... • https://docs.github.com/en/enterprise-server@3.10/admin/release-notes#3.10.9 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29032 – `qiskit_ibm_runtime.RuntimeDecoder` can execute arbitrary code
https://notcve.org/view.php?id=CVE-2024-29032
20 Mar 2024 — Starting in version 0.1.0 and prior to version 0.21.2, deserializing json data using `qiskit_ibm_runtime.RuntimeDecoder` can lead to arbitrary code execution given a correctly formatted input string. • https://github.com/Qiskit/qiskit-ibm-runtime/blob/16e90f475e78a9d2ae77daa139ef750cfa84ca82/qiskit_ibm_runtime/utils/json.py#L156-L159 • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-28179 – Jupyter Server Proxy's Websocket Proxying does not require authentication
https://notcve.org/view.php?id=CVE-2024-28179
20 Mar 2024 — In many cases, this leads to remote unauthenticated arbitrary code execution, due to how affected instances use websockets. • https://github.com/jupyterhub/jupyter-server-proxy/blob/9b624c4d9507176334b46a85d94a4aa3bcd29bed/jupyter_server_proxy/handlers.py#L433 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28396
https://notcve.org/view.php?id=CVE-2024-28396
20 Mar 2024 — An issue in MyPrestaModules ordersexport v.6.0.2 and before allows a remote attacker to execute arbitrary code via the download.php component. • https://addons.prestashop.com/en/data-import-export/17596-orders-csv-excel-export-pro.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29027 – Parse Server crash and RCE via invalid Cloud Function or Cloud Job name
https://notcve.org/view.php?id=CVE-2024-29027
19 Mar 2024 — Prior to versions 6.5.5 and 7.0.0-alpha.29, calling an invalid Parse Server Cloud Function name or Cloud Job name crashes the server and may allow for code injection, internal store manipulation or remote code execution. • https://github.com/parse-community/parse-server/commit/5ae6d6a36d75c4511029f0ba5673ae4b2999179b • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 6.4EPSS: 0%CPEs: 35EXPL: 0CVE-2024-2610 – Mozilla: Improper handling of html and body tags enabled CSP nonce leakage
https://notcve.org/view.php?id=CVE-2024-2610
19 Mar 2024 — Using a markup injection an attacker could have stolen nonce values. This could have been used to bypass strict content security policies. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9. Al utilizar una inyección de marcado, un atacante podría haber robado valores nonce. Esto podría haberse utilizado para eludir las estrictas políticas de seguridad de contenido. • https://bugzilla.mozilla.org/show_bug.cgi?id=1871112 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26064 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-26064
18 Mar 2024 — This could result in arbitrary code execution in the context of the victim's browser. • https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26044 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-26044
18 Mar 2024 — This could result in arbitrary code execution in the context of the victim's browser. • https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •