CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 4CVE-2024-25004 – KiTTY 0.76.1.13 - 'Start Duplicated Session Username' Buffer Overflow
https://notcve.org/view.php?id=CVE-2024-25004
This allows an attacker to overwrite adjacent memory, which leads to arbitrary code execution. • https://www.exploit-db.com/exploits/51891 http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html http://packetstormsecurity.com/files/177032/KiTTY-0.76.1.13-Buffer-Overflows.html http://seclists.org/fulldisclosure/2024/Feb/13 http://seclists.org/fulldisclosure/2024/Feb/14 https://blog.defcesco.io/CVE-2024-25003-CVE-2024-25004 • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 5CVE-2024-23749 – KiTTY 0.76.1.13 - Command Injection
https://notcve.org/view.php?id=CVE-2024-23749
This allows an attacker to add inputs inside the filename variable, leading to arbitrary code execution. • https://www.exploit-db.com/exploits/51892 http://packetstormsecurity.com/files/177031/KiTTY-0.76.1.13-Command-Injection.html http://seclists.org/fulldisclosure/2024/Feb/13 http://seclists.org/fulldisclosure/2024/Feb/14 https://blog.defcesco.io/CVE-2024-23749 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-24091
https://notcve.org/view.php?id=CVE-2024-24091
Yealink Meeting Server before v26.0.0.66 was discovered to contain an OS command injection vulnerability via the file upload interface. Se descubrió que Yealink Meeting Server anterior a v26.0.0.66 contenía una vulnerabilidad de inyección de comandos del sistema operativo a través de la interfaz de carga de archivos. • https://www.yealink.com/en/trust-center/security-advisories/2f2b990211c440cf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2023-42282 – nodejs-ip: arbitrary code execution via the isPublic() function
https://notcve.org/view.php?id=CVE-2023-42282
This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources. • https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3 https://security.netapp.com/advisory/ntap-20240315-0008 https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only https://access.redhat.com/security/cve/CVE-2023-42282 https://bugzilla.redhat.com/show_bug.cgi?id=2265161 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45735 – Westermo Lynx Code Injection
https://notcve.org/view.php?id=CVE-2023-45735
A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. Un potencial atacante con acceso al dispositivo Westermo Lynx podría ejecutar código malicioso que podría afectar el correcto funcionamiento del dispositivo. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •