CVE-2024-39624 – WordPress ListingPro theme <= 2.9.3 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-39624
This makes it possible for authenticated attackers, with Subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/listingpro/wordpress-listingpro-theme-2-9-3-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVE-2024-34329
https://notcve.org/view.php?id=CVE-2024-34329
Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.4 and earlier allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload. • https://github.com/pamoutaf/CVE-2024-34329 https://github.com/pamoutaf/CVE-2024-34329/blob/main/README.md https://www.entrust.com/ja/contact/services/downloads/drivers •
CVE-2024-6960 – H2O deserializes ML models without filtering, potentially allowing execution of malicious code
https://notcve.org/view.php?id=CVE-2024-6960
An attacker can construct a crafted Iced model that uses Java gadgets and leads to arbitrary code execution when imported to the H2O platform. • https://research.jfrog.com/vulnerabilities/h2o-model-deserialization-rce-jfsa-2024-001035518 • CWE-502: Deserialization of Untrusted Data •
CVE-2024-40347
https://notcve.org/view.php?id=CVE-2024-40347
A reflected cross-site scripting (XSS) vulnerability in Hyland Alfresco Platform 23.2.1-r96 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the parameter htmlid. • https://github.com/4rdr/proofs/blob/main/info/Alfresco_Reflected_XSS_via_htmlid_parameter.md •
CVE-2024-39906 – Remote code execution in Haven IndieAuthClient (GHSL-2024-093)
https://notcve.org/view.php?id=CVE-2024-39906
This leads to the immediate execution of the provided commands when the link is accessed by the authenticated administrator. This issue may lead to Remote Code Execution (RCE) and has been addressed by commit `c52f07c`. ... Este problema puede provocar la ejecución remota de código (RCE) y se solucionó mediante la confirmación `c52f07c`. • https://github.com/havenweb/haven/commit/c52f07c https://github.com/havenweb/haven/security/advisories/GHSA-65cm-7g24-hm9f • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •