CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2023-50808
https://notcve.org/view.php?id=CVE-2023-50808
13 Feb 2024 — Zimbra Collaboration before Kepler 9.0.0 Patch 38 GA allows DOM-based JavaScript injection in the Modern UI. Zimbra Collaboration antes de Kepler 9.0.0 Patch 38 GA permite la inyección de JavaScript basada en DOM en la interfaz de usuario moderna. • https://wiki.zimbra.com/wiki/Security_Center • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 10EXPL: 0CVE-2024-25110 – Azure IoT Platform Device SDK Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-25110
12 Feb 2024 — The UAMQP is a general purpose C library for AMQP 1.0. During a call to open_get_offered_capabilities, a memory allocation may fail causing a use-after-free issue and if a client called it during connection communication it may cause a remote code execution. Users are advised to update the submodule with commit `30865c9c`. There are no known workarounds for this vulnerability. UAMQP es una librería C de uso general para AMQP 1.0. • https://github.com/Azure/azure-uamqp-c/commit/30865c9ccedaa32ddb036e87a8ebb52c3f18f695 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25096 – WordPress canto plugin <= 3.0.7 - Unauth. Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-25096
12 Feb 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Canto Inc. • https://patchstack.com/database/vulnerability/canto/wordpress-canto-plugin-3-0-6-unauthenticated-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-25713
https://notcve.org/view.php?id=CVE-2024-25713
11 Feb 2024 — yyjson through 0.8.0 has a double free, leading to remote code execution in some cases, because the pool_free function lacks loop checks. (pool_free is part of the pool series allocator, along with pool_malloc and pool_realloc.) yyjson hasta 0.8.0 tiene un doble free, lo que lleva a la ejecución remota de código en algunos casos, porque la función pool_free carece de comprobaciones de bucle. (pool_free es parte del asignador de series de grupos, junto con pool_malloc y pool_realloc). • https://github.com/ibireme/yyjson/security/advisories/GHSA-q4m7-9pcm-fpxh • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24821 – Code execution and possible privilege escalation via compromised InstalledVersions.php or installed.php in Composer
https://notcve.org/view.php?id=CVE-2024-24821
08 Feb 2024 — As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. ... As such, under certain conditions arbitrary code execution may lead to local privilege escalation, provide lateral user movement or malicious code execution when Composer is invoked within a directory with tampered files. • https://github.com/composer/composer/commit/64e4eb356b159a30c766cd1ea83450a38dc23bf5 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 6CVE-2024-23749 – KiTTY 0.76.1.13 - Command Injection
https://notcve.org/view.php?id=CVE-2024-23749
08 Feb 2024 — This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution. • https://packetstorm.news/files/id/177031 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24091
https://notcve.org/view.php?id=CVE-2024-24091
08 Feb 2024 — Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface. Se descubrió que Yealink Meeting Server anterior a v26.0.0.66 contenía una vulnerabilidad de inyección de comandos del sistema operativo a través de la interfaz de carga de archivos. • https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 6CVE-2024-25003 – KiTTY 0.76.1.13 - 'Start Duplicated Session Hostname' Buffer Overflow
https://notcve.org/view.php?id=CVE-2024-25003
08 Feb 2024 — This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution. • https://packetstorm.news/files/id/177031 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 6CVE-2024-25004 – KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
https://notcve.org/view.php?id=CVE-2024-25004
08 Feb 2024 — This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution. • https://packetstorm.news/files/id/177031 • CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 2CVE-2023-42282 – nodejs-ip: arbitrary code execution via the isPublic() function
https://notcve.org/view.php?id=CVE-2023-42282
08 Feb 2024 — This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources. • https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html • CWE-918: Server-Side Request Forgery (SSRF) •