CVE-2024-23928 – Pioneer DMH-WT7600NEX Telematics Improper Certificate Validation Vulnerability
https://notcve.org/view.php?id=CVE-2024-23928
An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. •
CVE-2024-40645 – FOG Authenticated File Upload RCE
https://notcve.org/view.php?id=CVE-2024-40645
An improperly restricted file upload feature allows authenticated users to execute arbitrary code on the fogproject server. • https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/packages/web/lib/pages/fogconfigurationpage.class.php#L2860-L2896 https://github.com/FOGProject/fogproject/commit/9469606a18bf8887740cceed6593a2e0380b5e0c https://github.com/FOGProject/fogproject/security/advisories/GHSA-59mq-q8g5-2f4f • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-6973 – Remote Code Execution in Cato Windows SDP client via crafted URLs
https://notcve.org/view.php?id=CVE-2024-6973
Remote Code Execution in Cato Windows SDP client via crafted URLs. This issue affects Windows SDP Client before 5.10.34. • https://support.catonetworks.com/hc/en-us/articles/19756987454237-CVE-2024-6973-Windows-SDP-Client-Remote-Code-Execution-via-crafted-URLs • CWE-20: Improper Input Validation •
CVE-2024-41950 – Insecure Jinja2 templates rendered in Haystack Components can lead to RCE
https://notcve.org/view.php?id=CVE-2024-41950
Haystack is an end-to-end LLM framework that allows you to build applications powered by LLMs, Transformer models, vector search and more. Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. The vulnerability has been fixed with Haystack `2.3.1`. • https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677 https://github.com/deepset-ai/haystack/pull/8095 https://github.com/deepset-ai/haystack/pull/8096 https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0 https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e https://github.com/deepset-ai/haystack/releases/tag/v2.3.1 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-37901 – XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
https://notcve.org/view.php?id=CVE-2024-37901
Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 https://jira.xwiki.org/browse/XWIKI-21473 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-862: Missing Authorization •