CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2023-2264 – Improper input validition could lead to code injection
https://notcve.org/view.php?id=CVE-2023-2264
30 Nov 2023 — An improper input validation vulnerability in the Schweitzer Engineering Laboratories SEL-411L could allow a malicious actor to manipulate authorized users to click on a link that could allow undesired behavior. See product Instruction Manual Appendix A dated 20230830 for more details. Una vulnerabilidad de validación de entrada incorrecta en Schweitzer Engineering Laboratories SEL-411L podría permitir que un actor malintencionado manipule a los usuarios autorizados para que hagan clic en un enlace que podr... • https://selinc.com/support/security-notifications/external-reports • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 13EXPL: 0CVE-2023-31177 – Improper neutralizataion of input could lead to execution of arbitrary code
https://notcve.org/view.php?id=CVE-2023-31177
30 Nov 2023 — An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in the Schweitzer Engineering Laboratories SEL-451 could allow an attacker to craft a link that could execute arbitrary code on a victim's system. See product Instruction Manual Appendix A dated 20230830 for more details. Una neutralización inadecuada de la entrada durante la generación de páginas web ("Cross-site Scripting") en Schweitzer Engineering Laboratories SEL-451 podría permitir a un atacante crear un enlace que... • https://selinc.com/support/security-notifications/external-reports • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-4770 – Uncontrolled Search Path Element Vulnerability in 4D and 4D Windows Server
https://notcve.org/view.php?id=CVE-2023-4770
30 Nov 2023 — This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution. • https://www.incibe.es/en/incibe-cert/notices/aviso/uncontrolled-search-path-element-vulnerability-4d-and-4d-windows-server • CWE-427: Uncontrolled Search Path Element •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-37928
https://notcve.org/view.php?id=CVE-2023-37928
30 Nov 2023 — A post-authentication command injection vulnerability in the WSGI server of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. Una vulnerabilidad de inyección de comando posterior a la autenticación en el servidor WSGI de la versión de firmware V5.21(AAZF.14)C0 de Zyxel NAS326 y la versión de firmware NAS542 V5.21(ABAG.11)C0 podría... • https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2023-37927
https://notcve.org/view.php?id=CVE-2023-37927
30 Nov 2023 — The improper neutralization of special elements in the CGI program of the Zyxel NAS326 firmware version V5.21(AAZF.14)C0 and NAS542 firmware version V5.21(ABAG.11)C0 could allow an authenticated attacker to execute some operating system (OS) commands by sending a crafted URL to a vulnerable device. La neutralización inadecuada de elementos especiales en el programa CGI del firmware Zyxel NAS326 versión V5.21(AAZF.14)C0 y NAS542 versión V5.21(ABAG.11)C0 podría permitir que un atacante autenticado ejecute alg... • https://bugprove.com/knowledge-hub/cve-2023-37927-and-cve-2023-37928-multiple-post-auth-blind-os-command-and-python-code-injection-vulnerabilities-in-zyxel-s-nas-326-devices • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2022-41678 – Apache ActiveMQ: Insufficient API restrictions on Jolokia allow authenticated users to perform RCE
https://notcve.org/view.php?id=CVE-2022-41678
28 Nov 2023 — Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. ... Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. ... We encourage users to upgrade to ActiveMQ distributions version including updated Jolokia configuration: 5.16.6, 5.17.4, 5.18.0, 6.0.0. Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. • https://github.com/mbadanoiu/CVE-2022-41678 • CWE-287: Improper Authentication CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-49313
https://notcve.org/view.php?id=CVE-2023-49313
28 Nov 2023 — A dylib injection vulnerability in XMachOViewer 0.04 allows attackers to compromise integrity. By exploiting this, unauthorized code can be injected into the product's processes, potentially leading to remote control and unauthorized access to sensitive user data. Una vulnerabilidad de inyección dylib en XMachOViewer 0.04 permite a los atacantes comprometer la integridad. Al explotar esto, se puede inyectar código no autorizado en los procesos del producto, lo que podría provocar control remoto y acceso no ... • https://github.com/louiselalanne/CVE-2023-49313 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 1CVE-2023-49314
https://notcve.org/view.php?id=CVE-2023-49314
28 Nov 2023 — Asana Desktop 2.1.0 on macOS allows code injection because of specific Electron Fuses. There is inadequate protection against code injection through settings such as RunAsNode and EnableNodeCliInspectArguments, and thus r3ggi/electroniz3r can be used to perform an attack. • https://github.com/louiselalanne/CVE-2023-49314 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48763 – WordPress JetFormBuilder plugin <= 3.1.4 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-48763
28 Nov 2023 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS vulnerability in Crocoblock JetFormBuilder allows Code Injection.This issue affects JetFormBuilder: from n/a through 3.1.4. Neutralización inadecuada de etiquetas HTML relacionadas con secuencias de comandos en una página web (la vulnerabilidad XSS básica en Crocoblock JetFormBuilder permite la inyección de código. Este problema afecta a JetFormBuilder: desde n/a hasta 3.1.4. The JetFormBuilder — Dynamic Blocks Form Builder plugin ... • https://patchstack.com/database/vulnerability/jetformbuilder/wordpress-jetformbuilder-plugin-3-1-4-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5604 – Asgaros Forum < 2.7.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2023-5604
27 Nov 2023 — The Asgaros Forum WordPress plugin before 2.7.1 allows forum administrators, who may not be WordPress (super-)administrators, to set insecure configuration that allows unauthenticated users to upload dangerous files (e.g. .php, .phtml), potentially leading to remote code execution. El complemento Asgaros Forum de WordPress anterior a 2.7.1 permite a los administradores del foro, que pueden no ser (super)administradores de WordPress, establecer una configuración insegura que permite a usuarios no autenticado... • https://wpscan.com/vulnerability/4ce69d71-87bf-4d95-90f2-63d558c78b69 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •