CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-0220 – B&R products use insufficient communication encryption
https://notcve.org/view.php?id=CVE-2024-0220
B&R Automation Studio Upgrade Service and B&R Technology Guarding use insufficient cryptography for communication to the upgrade and the licensing servers. A network-based attacker could exploit the vulnerability to execute arbitrary code on the products or sniff sensitive data. B&R Automation Studio Upgrade Service y B&R Technology Guarding utilizan criptografía insuficiente para la comunicación con la actualización y los servidores de licencias. Un atacante basado en la red podría aprovechar la vulnerabilidad para ejecutar código arbitrario en los productos o rastrear datos confidenciales. Falta de cifrado de datos confidenciales, transmisión de texto plano de información confidencial, control inadecuado de la generación de código ("inyección de código"), vulnerabilidad de fuerza de cifrado inadecuada en B&R Industrial Automation B&R Automation Studio (módulos de servicio de actualización), B&R Industrial Automation Technology Guarding.Este problema afecta a B&R Automation Studio: <4,6; Protección de tecnología: <1.4.0. • https://www.br-automation.com/fileadmin/SA23P019_Automation_Studio_Upgrade_Service_uses_insufficient_encryption.pdf-1b3b181c.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-311: Missing Encryption of Sensitive Data CWE-319: Cleartext Transmission of Sensitive Information CWE-326: Inadequate Encryption Strength CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-26483
https://notcve.org/view.php?id=CVE-2024-26483
An arbitrary file upload vulnerability in the Profile Image module of Kirby CMS v4.1.0 allows attackers to execute arbitrary code via a crafted PDF file. Una vulnerabilidad de carga de archivos arbitrarios en el módulo Imagen de perfil de Kirby CMS v4.1.0 permite a los atacantes ejecutar código arbitrario a través de un archivo PDF manipulado. • https://github.com/getkirby/kirby/security/advisories/GHSA-xrvh-rvc4-5m43 https://shrouded-trowel-50c.notion.site/Kirby-CMS-4-1-0-Unrestricted-File-Upload-dc60ce3132f04442b73f2dba2631fae0?pvs=4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.6EPSS: 0%CPEs: -EXPL: 1CVE-2024-1705 – Shopwind Installation DefaultController.php actionCreate code injection
https://notcve.org/view.php?id=CVE-2024-1705
The manipulation leads to code injection. ... Durch das Manipulieren mit unbekannten Daten kann eine code injection-Schwachstelle ausgenutzt werden. • https://note.zhaoj.in/share/QHdXavkw5eDm https://vuldb.com/?ctiid.254393 https://vuldb.com/?id.254393 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-23346 – pymatgen arbitrary code execution when parsing a maliciously crafted JonesFaithfulTransformation transformation_string
https://notcve.org/view.php?id=CVE-2024-23346
Pymatgen (Python Materials Genomics) is an open-source Python library for materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()` method within the `pymatgen` library prior to version 2024.2.20. This method insecurely utilizes `eval()` for processing input, enabling execution of arbitrary code when parsing untrusted input. Version 2024.2.20 fixes this issue. Pymatgen (Python Materials Genomics) es una librería Python de código abierto para análisis de materiales. • https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108 https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-45177
https://notcve.org/view.php?id=CVE-2022-45177
An issue was discovered in LIVEBOX Collaboration vDesk through v031. An Observable Response Discrepancy can occur under the /api/v1/vdeskintegration/user/isenableuser endpoint, the /api/v1/sharedsearch?search={NAME]+{SURNAME] endpoint, and the /login endpoint. The web application provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. Se descubrió un problema en LIVEBOX Collaboration vDesk hasta v031. • https://www.gruppotim.it/it/footer/red-team.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-203: Observable Discrepancy •