CVE-2024-39877 – Apache Airflow: DAG Author Code Execution possibility in airflow-scheduler
https://notcve.org/view.php?id=CVE-2024-39877
Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. • https://github.com/apache/airflow/pull/40522 https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-277: Insecure Inherited Permissions •
CVE-2024-40420
https://notcve.org/view.php?id=CVE-2024-40420
A Server-Side Template Injection (SSTI) vulnerability in the edit theme function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload. • https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-43971
https://notcve.org/view.php?id=CVE-2023-43971
Cross Site Scripting vulnerability in ACG-faka v1.1.7 allows a remote attacker to execute arbitrary code via the encode parameter in Index.php. • https://gist.github.com/N0boy-0/7251856fed517eb6358d8cae03099b7b https://github.com/lizhipay/acg-faka/issues/72 •
CVE-2024-40492
https://notcve.org/view.php?id=CVE-2024-40492
Cross Site Scripting vulnerability in Heartbeat Chat v.15.2.1 allows a remote attacker to execute arbitrary code via the setname function. • https://github.com/minendie/POC_CVE-2024-40492 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-21164 – Oracle VirtualBox EHCI USB Controller Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-21164
An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of the hypervisor. • https://www.oracle.com/security-alerts/cpujul2024.html •