CVE-2024-11422 – DWFX File Parsing Vulnerabilities in Autodesk Navisworks Desktop Software
https://notcve.org/view.php?id=CVE-2024-11422
A malicious actor can leverage this vulnerability to cause a crash, cause data corruption, or execute arbitrary code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://autodesk.com/trust/security-advisories/adsk-sa-2024-0027 • CWE-787: Out-of-bounds Write •
CVE-2024-50379 – Apache Tomcat: RCE due to TOCTOU issue in JSP compilation
https://notcve.org/view.php?id=CVE-2024-50379
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.08, which fixes the issue. Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue. • https://github.com/yiliufeng168/CVE-2024-50379-POC https://github.com/JFOZ1010/Nuclei-Template-CVE-2024-50379 https://github.com/iSee857/CVE-2024-50379-PoC https://github.com/Alchemist3dot14/CVE-2024-50379 https://github.com/ph0ebus/Tomcat-CVE-2024-50379-Poc https://github.com/SleepingBag945/CVE-2024-50379 https://lists.apache.org/thread/y6lj6q1xnp822g6ro70tn19sgtjmr80r http://www.openwall.com/lists/oss-security/2024/12/17/4 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2024-29646
https://notcve.org/view.php?id=CVE-2024-29646
Buffer Overflow vulnerability in radarorg radare2 v.5.8.8 allows an attacker to execute arbitrary code via the name, type, or group fields. • https://gist.github.com/Crispy-fried-chicken/0be4a204e7226fa2cea761c09f027690 https://github.com/radareorg/radare2/pull/22562 https://github.com/radareorg/radare2/pull/22567 https://github.com/radareorg/radare2/pull/22572 https://github.com/radareorg/radare2/pull/22578 https://github.com/radareorg/radare2/pull/22599 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVE-2024-49194
https://notcve.org/view.php?id=CVE-2024-49194
Databricks JDBC Driver before 2.6.40 could potentially allow remote code execution (RCE) by triggering a JNDI injection via a JDBC URL parameter. ... An attacker could potentially exploit this vulnerability to achieve Remote Code Execution in the context of the driver by tricking a victim into using a crafted connection URL that uses the property krbJAASFile. • https://kb.databricks.com/en_US/data-sources/security-bulletin-databricks-jdbc-driver-vulnerability-advisory-cve-2024-49194 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-12665 – ruifang-tech Rebuild Task Comment Attachment Upload cross site scripting
https://notcve.org/view.php?id=CVE-2024-12665
A vulnerability, which was classified as problematic, was found in ruifang-tech Rebuild 3.8.5. Affected is an unknown function of the component Task Comment Attachment Upload. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/cydtseng/Vulnerability-Research/blob/main/rebuild/StoredXSS-TaskCommentAttachments.md https://vuldb.com/?ctiid.288534 https://vuldb.com/?id.288534 https://vuldb.com/?submit.458623 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •