CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41878 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-41878
This vulnerability could allow an attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. • https://helpx.adobe.com/security/products/experience-manager/apsb24-05.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43791 – RequestStore has Incorrect Default Permissions
https://notcve.org/view.php?id=CVE-2024-43791
The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. • https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m • CWE-276: Incorrect Default Permissions •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5466 – Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5466
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. • https://www.manageengine.com/itom/advisory/cve-2024-5466.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-42845 – Invesalius 3.1 Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-42845
An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file. • https://github.com/invesalius/invesalius3 https://github.com/invesalius/invesalius3/releases https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7129 – Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
https://notcve.org/view.php?id=CVE-2024-7129
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.6.7.42 via Twig Template Injection. This makes it possible for authenticated attackers, with administrator-level access and above, to execute code on the server. • https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •