CVE-2024-41950 – Insecure Jinja2 templates rendered in Haystack Components can lead to RCE
https://notcve.org/view.php?id=CVE-2024-41950
Haystack clients that let their users create and run Pipelines from scratch are vulnerable to remote code executions. Certain Components in Haystack use Jinja2 templates, if anyone can create and render that template on the client machine they run any code. • https://github.com/deepset-ai/haystack/security/advisories/GHSA-hx9v-6r9f-w677 https://github.com/deepset-ai/haystack/pull/8095 https://github.com/deepset-ai/haystack/pull/8096 https://github.com/deepset-ai/haystack/commit/3fed1366c448b02189851bf08166c1f6477a02b0 https://github.com/deepset-ai/haystack/commit/6c25a5c73e83aa32c3241ba84a5cbb3ac0e8a89e https://github.com/deepset-ai/haystack/releases/tag/v2.3.1 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-37901 – XWiki Platform vulnerable to remote code execution from account via SearchSuggestConfigSheet
https://notcve.org/view.php?id=CVE-2024-37901
Any user with edit right on any page can perform arbitrary remote code execution by adding instances of `XWiki.SearchSuggestConfig` and `XWiki.SearchSuggestSourceClass` to their user profile or any other page. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-h63h-5c77-77p5 https://github.com/xwiki/xwiki-platform/commit/0b135760514fef73db748986a3311f3edd4a553b https://github.com/xwiki/xwiki-platform/commit/742cd4591642be4cdcaf68325f17540e0934e64e https://github.com/xwiki/xwiki-platform/commit/9ce3e0319869b6d8131fc4e0909736f7041566a4 https://github.com/xwiki/xwiki-platform/commit/bbde8a4f564e3c28839440076334a9093e2b4834 https://jira.xwiki.org/browse/XWIKI-21473 • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE-862: Missing Authorization •
CVE-2024-41630
https://notcve.org/view.php?id=CVE-2024-41630
Stack-based buffer overflow vulnerability in Tenda AC18 V15.03.3.10_EN allows a remote attacker to execute arbitrary code via the ssid parameter at ip/goform/fast_setting_wifi_set. • https://palm-vertebra-fe9.notion.site/form_fast_setting_wifi_set-fd47294cf4bb460bb95f804d39e53f34 https://www.tendacn.com/hk/download/detail-3852.html https://www.tendacn.com/hk/download/detail-3863.html • CWE-121: Stack-based Buffer Overflow •
CVE-2024-7352 – PDF-XChange Editor PDF File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-7352
This vulnerability allows remote attackers to execute arbitrary code on affected installations of PDF-XChange Editor. ... An attacker can leverage this vulnerability to execute code in the context of the current process. •
CVE-2024-6233 – Check Point ZoneAlarm Extreme Security Link Following Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-6233
An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Forensic Recorder service. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. •