CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10262 – Drop Shadow Boxes <= 1.7.14 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-10262
15 Nov 2024 — The The Drop Shadow Boxes plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.14. ... This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/drop-shadow-boxes/trunk/dropshadowboxes.php#L150 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11243 – code-projects Online Shop Store signup.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11243
15 Nov 2024 — A vulnerability classified as problematic has been found in code-projects Online Shop Store 1.0. ... Es wurde eine Schwachstelle in code-projects Online Shop Store 1.0 entdeckt. • https://code-projects.org • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 3EXPL: 1CVE-2024-11240 – IBPhoenix ibWebAdmin Banco de Dados Tab database.php cross site scripting
https://notcve.org/view.php?id=CVE-2024-11240
15 Nov 2024 — Davon betroffen ist unbekannter Code der Datei /database.php der Komponente Banco de Dados Tab. • https://docs.google.com/document/d/1_kk14QhqJuqMGzAD_SUlOSvCGwYdeF4gI8m7mVTPBAQ/edit?usp=sharing • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10443
https://notcve.org/view.php?id=CVE-2024-10443
15 Nov 2024 — Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_18 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-51142
https://notcve.org/view.php?id=CVE-2024-51142
15 Nov 2024 — Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file. • https://infosecwriteups.com/chamilo-lms-authentication-bypass-and-cross-site-scripting-stored-3fcb874ac7c1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 4%CPEs: -EXPL: 1CVE-2024-44625
https://notcve.org/view.php?id=CVE-2024-44625
15 Nov 2024 — Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. • https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10728 – PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10728
15 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://github.com/RandomRobbieBF/CVE-2024-10728 • CWE-862: Missing Authorization •
CVSS: 7.3EPSS: 0%CPEs: -EXPL: 1CVE-2024-50986
https://notcve.org/view.php?id=CVE-2024-50986
15 Nov 2024 — An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file. • https://github.com/riftsandroses/CVE-2024-50986 • CWE-426: Untrusted Search Path •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52427 – WordPress Event Tickets with Ticket Scanner plugin <= 2.3.11 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-52427
15 Nov 2024 — The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/event-tickets-with-ticket-scanner/wordpress-event-tickets-with-ticket-scanner-plugin-2-3-11-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50648
https://notcve.org/view.php?id=CVE-2024-50648
15 Nov 2024 — yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files. • https://github.com/Yllxx03/CVE/blob/main/yshop_fileu_pload.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •