CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7670 – Out-of-Bounds Read Vulnerability in Autodesk Desktop Software
https://notcve.org/view.php?id=CVE-2024-7670
30 Sep 2024 — A malicious actor can leverage this vulnerability to cause a crash, read sensitive data, or execute arbitrary code in the context of the current process. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Autodesk Navisworks Freedom. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://autodesk.com/trust/security-advisories/adsk-sa-2024-0015 • CWE-125: Out-of-bounds Read •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-28811
https://notcve.org/view.php?id=CVE-2024-28811
30 Sep 2024 — A web application allows a remote privileged attacker to execute applications contained in a specific OS directory via HTTP invocations. • https://www.cvcn.gov.it/cvcn/cve/CVE-2024-28811 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47351 – WordPress MaxSlider plugin <= 1.2.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-47351
30 Sep 2024 — This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/maxslider/wordpress-maxslider-plugin-1-2-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47645 – WordPress WPOptin plugin <= 2.0.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-47645
30 Sep 2024 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/wpoptin/wordpress-wpoptin-plugin-2-0-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47649 – WordPress Iconize plugin <= 1.2.4 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-47649
30 Sep 2024 — The Iconize plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.2.4. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/iconize/wordpress-iconize-plugin-1-2-4-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-45200
https://notcve.org/view.php?id=CVE-2024-45200
30 Sep 2024 — In Nintendo Mario Kart 8 Deluxe before 3.0.3, the LAN/LDN local multiplayer implementation allows a remote attacker to exploit a stack-based buffer overflow upon deserialization of session information via a malformed browse-reply packet, aka KartLANPwn. ... This enables a remote attacker to obtain complete denial-of-service on the game's process, or potentially, remote code execution on the victim's console. • https://github.com/latte-soft/kartlanpwn • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46475
https://notcve.org/view.php?id=CVE-2024-46475
30 Sep 2024 — A reflected cross-site scripting (XSS) vulnerability on the homepage of Metronic Admin Dashboard Template v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. • https://blog.csdn.net/qq_45744104/article/details/141903463 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46511
https://notcve.org/view.php?id=CVE-2024-46511
30 Sep 2024 — LoadZilla LLC LoadLogic v1.4.3 was discovered to contain insecure permissions vulnerability which allows a remote attacker to execute arbitrary code via the LogicLoadEc2DeployLambda and CredsGenFunction function. • https://github.com/zolaer9527/serverless-app/security/advisories/GHSA-3ggq-wrf4-c88v • CWE-266: Incorrect Privilege Assignment •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46540
https://notcve.org/view.php?id=CVE-2024-46540
30 Sep 2024 — A remote code execution (RCE) vulnerability in the component /admin/store.php of Emlog Pro before v2.3.15 allows attackers to use remote file downloads and self-extract fucntions to upload webshells to the target server, thereby obtaining system privileges. • https://gist.github.com/microvorld/1c1ef9c3390a5d88a5ede9f9424a8bd2 • CWE-266: Incorrect Privilege Assignment •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9108 – Wechat Social login <= 1.3.0 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9108
30 Sep 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/wechat-social-login/trunk/includes/social/class-xh-social-wp-api.php?rev=2111074#L39 • CWE-434: Unrestricted Upload of File with Dangerous Type •