CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-55879 – XWiki allows RCE from script right in configurable sections
https://notcve.org/view.php?id=CVE-2024-55879
12 Dec 2024 — Starting in version 2.3 and prior to versions 15.10.9, 16.3.0, any user with script rights can perform arbitrary remote code execution by adding instances of `XWiki.ConfigurableClass` to any page. • https://github.com/xwiki/xwiki-platform/commit/8493435ff9606905a2d913607d6c79862d0c168d • CWE-862: Missing Authorization •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-55877 – XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList
https://notcve.org/view.php?id=CVE-2024-55877
12 Dec 2024 — Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. • https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-55662 – XWiki allows remote code execution through the extension sheet
https://notcve.org/view.php?id=CVE-2024-55662
12 Dec 2024 — Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. • https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-863: Incorrect Authorization •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21575
https://notcve.org/view.php?id=CVE-2024-21575
12 Dec 2024 — This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE). • https://github.com/ltdrdata/ComfyUI-Impact-Pack/blob/1087f2ee063c9d53cd198add79b41a7a3465c05a/modules/impact/impact_server.py#L28 • CWE-35: Path Traversal: '.../ •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-21574
https://notcve.org/view.php?id=CVE-2024-21574
12 Dec 2024 — This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server. ... Esto permite que un atacante cree una solicitud que active una instalación de pip en un paquete o URL controlados por el usuario, lo que da como resultado una ejecución de código remoto (RCE) en el servidor. • https://github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3e5acc1c404773a0510e6d055a6a72b0e/glob/manager_server.py#L798 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54810
https://notcve.org/view.php?id=CVE-2024-54810
12 Dec 2024 — A SQL Injection vulnerability was found in /preschool/admin/password-recovery.php in PHPGurukul Pre-School Enrollment System Project v1.0, which allows remote attackers to execute arbitrary code via the mobileno parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Pre-School%20Enrollment/SQL%20Injection%20pre-school%20pa.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 2CVE-2024-55099
https://notcve.org/view.php?id=CVE-2024-55099
12 Dec 2024 — A SQL Injection vulnerability was found in /admin/index.php in phpgurukul Online Nurse Hiring System v1.0, which allows remote attackers to execute arbitrary SQL commands to get unauthorized database access via the username parameter. • https://github.com/kuzgunaka/CVE-2024-55099-Online-Nurse-Hiring-System-v1.0-SQL-Injection-Vulnerability- • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-9290 – Super Backup & Clone - Migrate for WordPress <= 2.3.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9290
12 Dec 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/super-backup-clone-migrate-for-wordpress/12943030 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12552 – Wacom Center WTabletServicePro Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-12552
12 Dec 2024 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. An attacker can leverage this vulnerability to escalate privileges and ... • https://cdn.wacom.com/u/productsupport/drivers/win/professional/releasenotes/Windows_6.4.8-2.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-54489 – Apple Security Advisory 12-11-2024-5
https://notcve.org/view.php?id=CVE-2024-54489
11 Dec 2024 — Running a mount command may unexpectedly execute arbitrary code. macOS Sequoia 15.2 addresses bypass, code execution, and out of bounds access vulnerabilities. • https://support.apple.com/en-us/121839 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •