CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 2CVE-2023-42282 – nodejs-ip: arbitrary code execution via the isPublic() function
https://notcve.org/view.php?id=CVE-2023-42282
This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources. • https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3 https://security.netapp.com/advisory/ntap-20240315-0008 https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only https://access.redhat.com/security/cve/CVE-2023-42282 https://bugzilla.redhat.com/show_bug.cgi?id=2265161 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-45735 – Westermo Lynx Code Injection
https://notcve.org/view.php?id=CVE-2023-45735
A potential attacker with access to the Westermo Lynx device may be able to execute malicious code that could affect the correct functioning of the device. Un potencial atacante con acceso al dispositivo Westermo Lynx podría ejecutar código malicioso que podría afectar el correcto funcionamiento del dispositivo. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-023-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-24577 – libgit2 is vulnerable to arbitrary code execution due to heap corruption in `git_index_add`
https://notcve.org/view.php?id=CVE-2024-24577
Using well-crafted inputs to `git_index_add` can cause heap corruption that could be leveraged for arbitrary code execution. ... Depending on the application that uses libgit2, this could lead to arbitrary code execution. • https://github.com/libgit2/libgit2/releases/tag/v1.6.5 https://github.com/libgit2/libgit2/releases/tag/v1.7.2 https://github.com/libgit2/libgit2/security/advisories/GHSA-j2v7-4f6v-gpg8 https://lists.debian.org/debian-lts-announce/2024/02/msg00012.html https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4M3P7WIEPXNRLBINQRJFXUSTNKBCHYC7 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7CNDW3PF6NHO7OXNM5GN6WSSGAMA7MZE https://lists. • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-122: Heap-based Buffer Overflow •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 2CVE-2024-22514
https://notcve.org/view.php?id=CVE-2024-22514
An issue discovered in iSpyConnect.com Agent DVR 5.1.6.0 allows attackers to run arbitrary files by restoring a crafted backup file. Un problema descubierto en iSpyConnect.com Agent DVR 5.1.6.0 permite a los atacantes ejecutar archivos arbitrarios restaurando un archivo de copia de seguridad manipulado. • https://github.com/Orange-418/AgentDVR-5.1.6.0-File-Upload-and-Remote-Code-Execution https://github.com/Orange-418/CVE-2024-22514-Remote-Code-Execution • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5800 – Insufficient input validation in VAPIX API create_overlay.cgi
https://notcve.org/view.php?id=CVE-2023-5800
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. Vintage, miembro del programa AXIS OS Bug Bounty, descubrió que la API VAPIX create_overlay.cgi no tenía una validación de entrada suficiente que permitiera una posible ejecución remota de código. • https://www.axis.com/dam/public/89/d9/99/cve-2023-5800-en-US-424339.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •