CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7129 – Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
https://notcve.org/view.php?id=CVE-2024-7129
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.6.7.42 via Twig Template Injection. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server. • https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-42918
https://notcve.org/view.php?id=CVE-2024-42918
itsourcecode Online Accreditation Management System contains a Cross Site Scripting vulnerability, which allows an attacker to execute arbitrary code via a crafted payload to the SCHOOLNAME, EMAILADDRES, CONTACTNO, COMPANYNAME and COMPANYCONTACTNO parameters in controller.php. • https://github.com/n00bS3cLe4rner/CVE-s/blob/main/CVE-2024-42918.md https://packetstormsecurity.com •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7772 – Jupiter X Core <= 4.6.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7772
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php https://plugins.trac.wordpress.org/changeset/3139412 https://www.wordfence.com/threat-intel/vulnerabilities/id/5b546d24-82c1-4598-8926-6e73a4784b38?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-42852
https://notcve.org/view.php?id=CVE-2024-42852
Cross Site Scripting vulnerability in AcuToWeb server v.10.5.0.7577C8b allows a remote attacker to execute arbitrary code via the index.php component. • https://github.com/Hebing123/cve/issues/64 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-42756
https://notcve.org/view.php?id=CVE-2024-42756
An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page • https://github.com/Nop3z/CVE/blob/main/Netgear/Netgear%20DGN1000%20RCE/Netgear%20DGN1000%20RCE.md https://www.netgear.com/about/security • CWE-94: Improper Control of Generation of Code ('Code Injection') •