CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-32616
https://notcve.org/view.php?id=CVE-2023-32616
27 Nov 2023 — A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1837 • CWE-416: Use After Free •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41257
https://notcve.org/view.php?id=CVE-2023-41257
27 Nov 2023 — A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1838 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38573
https://notcve.org/view.php?id=CVE-2023-38573
27 Nov 2023 — A specially crafted Javascript code inside a malicious PDF document can trigger reuse of a previously freed object, which can lead to memory corruption and result in arbitrary code execution. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1839 • CWE-416: Use After Free •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47840 – WordPress Qode Essential Addons Plugin <= 1.5.2 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-47840
27 Nov 2023 — Improper Control of Generation of Code ('Code Injection') vulnerability in Qode Interactive Qode Essential Addons.This issue affects Qode Essential Addons: from n/a through 1.5.2. • https://github.com/RandomRobbieBF/CVE-2023-47840 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46480
https://notcve.org/view.php?id=CVE-2023-46480
27 Nov 2023 — An issue in OwnCast v.0.1.1 allows a remote attacker to execute arbitrary code and obtain sensitive information via the authHost parameter of the indieauth function. Un problema en OwnCast v.0.1.1 permite a un atacante remoto ejecutar código arbitrario y obtener información confidencial a través del parámetro authHost de la función indieauth. • https://github.com/shahzaibak96/CVE-2023-46480 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 1CVE-2023-4724 – WP All Export (Free < 1.4.0, Pro < 1.8.6) - Admin+ RCE
https://notcve.org/view.php?id=CVE-2023-4724
24 Nov 2023 — The Export any WordPress data to XML/CSV WordPress plugin before 1.4.0, WP All Export Pro WordPress plugin before 1.8.6 does not validate and sanitise the `wp_query` parameter which allows an attacker to run arbitrary command on the remote server Los complementos Export any WordPress data to XML/CSV de WordPress anterior a 1.4.0 y el complemento WP All Export Pro de WordPress anterior a 1.8.6 no validan ni sanitizan el parámetro `wp_query` que permite a un atacante ejecutar comandos arbitrarios en el servid... • https://wpscan.com/vulnerability/48820f1d-45cb-4f1f-990d-d132bfc5536f • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28812
https://notcve.org/view.php?id=CVE-2023-28812
23 Nov 2023 — There is a buffer overflow vulnerability in a web browser plug-in could allow an attacker to exploit the vulnerability by sending crafted messages to computers installed with this plug-in, which could lead to arbitrary code execution or cause process exception of the plug-in. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikvision-web-browser-plug-in-locals • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-48285 – WordPress Accept Stripe Payments plugin <= 2.0.79 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2023-48285
23 Nov 2023 — Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Tips and Tricks HQ Stripe Payments allows Code Injection.This issue affects Stripe Payments: from n/a through 2.0.79. Neutralización inadecuada de etiquetas HTML relacionadas con scripts en una vulnerabilidad de página web (XSS básico) en Tips and Tricks HQ Stripe Payments permite la inyección de código. Este problema afecta a Stripe Payments: desde n/a hasta 2.0.79. The Accept Stripe Payments plugin for WordPress... • https://patchstack.com/database/vulnerability/stripe-payments/wordpress-accept-stripe-payments-plugin-2-0-79-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-22150 – Kibana code execution issue
https://notcve.org/view.php?id=CVE-2021-22150
22 Nov 2023 — It was discovered that a user with Fleet admin permissions could upload a malicious package. Due to using an older version of the js-yaml library, this package would be loaded in an insecure manner, allowing an attacker to execute commands on the Kibana server. Se descubrió que un usuario con permisos de administrador Fleet podía cargar un paquete malicioso. Debido al uso de una versión anterior de la librería js-yaml, este paquete se cargaría de forma insegura, lo que permitiría a un atacante ejecutar coma... • https://discuss.elastic.co/t/elastic-stack-7-14-1-security-update/283077 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46814
https://notcve.org/view.php?id=CVE-2023-46814
22 Nov 2023 — Standard users may use this to gain arbitrary code execution as SYSTEM. • https://www.videolan.org/security/sb-vlc3019.html • CWE-427: Uncontrolled Search Path Element •