CVSS: 7.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-45187 – Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution
https://notcve.org/view.php?id=CVE-2024-45187
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server • https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602 • CWE-266: Incorrect Privilege Assignment •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 5CVE-2024-7954 – SPIP porte_plume Plugin Arbitrary PHP Execution
https://notcve.org/view.php?id=CVE-2024-7954
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. • https://github.com/Chocapikk/CVE-2024-7954 https://github.com/bigb0x/CVE-2024-7954 https://github.com/fa-rrel/CVE-2024-7954-RCE https://github.com/MuhammadWaseem29/RCE-CVE-2024-7954 https://vulncheck.com/advisories/spip-porte-plume https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43791 – RequestStore has Incorrect Default Permissions
https://notcve.org/view.php?id=CVE-2024-43791
The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. • https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5466 – Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5466
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. • https://www.manageengine.com/itom/advisory/cve-2024-5466.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-42845 – Invesalius 3.1 Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-42845
An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file. • https://github.com/invesalius/invesalius3 https://github.com/invesalius/invesalius3/releases https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845 • CWE-94: Improper Control of Generation of Code ('Code Injection') •