CVSS: 10.0EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5550 – Moodle: rce due to lfi risk in some misconfigured shared hosting environments
https://notcve.org/view.php?id=CVE-2023-5550
09 Nov 2023 — In a shared hosting environment that has been misconfigured to allow access to other users' content, a Moodle user who also has direct access to the web server outside of the Moodle webroot could utilise a local file include to achieve remote code execution. En un entorno de alojamiento compartido que ha sido mal configurado para permitir el acceso al contenido de otros usuarios, un usuario de Moodle que también tiene acceso directo al servidor web fuera del root web de Moodle podría utilizar un archivo loc... • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-72249 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5540 – Moodle: authenticated remote code execution risk in imscp
https://notcve.org/view.php?id=CVE-2023-5540
09 Nov 2023 — A remote code execution risk was identified in the IMSCP activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad IMSCP. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79409 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 7EXPL: 0CVE-2023-5539 – Moodle: authenticated remote code execution risk in lesson
https://notcve.org/view.php?id=CVE-2023-5539
09 Nov 2023 — A remote code execution risk was identified in the Lesson activity. By default this was only available to teachers and managers. Se identificó un riesgo de ejecución remota de código en la actividad Lesson. Por defecto, esto sólo estaba disponible para profesores y directivos. • http://git.moodle.org/gw?p=moodle.git&a=search&h=HEAD&st=commit&s=MDL-79408 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2023-47248 – PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file
https://notcve.org/view.php?id=CVE-2023-47248
09 Nov 2023 — Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. • https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0392
https://notcve.org/view.php?id=CVE-2023-0392
08 Nov 2023 — The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution. • https://trust.okta.com/security-advisories/okta-ldap-agent-cve-2023-0392 • CWE-428: Unquoted Search Path or Element •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45849 – Arbitrary Code Execution in Helix Core
https://notcve.org/view.php?id=CVE-2023-45849
08 Nov 2023 — An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. • https://perforce.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-47397
https://notcve.org/view.php?id=CVE-2023-47397
08 Nov 2023 — WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. • https://liotree.github.io/2023/webid.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46243 – Code execution via the edit action in XWiki platform
https://notcve.org/view.php?id=CVE-2023-46243
07 Nov 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched... • https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-46242 – Code injection in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-46242
07 Nov 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible to execute a content with the right of any user via a crafted URL. A user must have `programming` privileges in order to exploit this vulnerability. This issue has been patched in XWiki 14.10.7 and 15.2RC1. Users are advised to upgrade. • https://github.com/xwiki/xwiki-platform/commit/cf8eb861998ea423c3645d2e5e974420b0e882be • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.3EPSS: 0%CPEs: 15EXPL: 3CVE-2023-46845
https://notcve.org/view.php?id=CVE-2023-46845
07 Nov 2023 — EC-CUBE 3 series (3.0.0 to 3.0.18-p6) and 4 series (4.0.0 to 4.0.6-p3, 4.1.0 to 4.1.2-p2, and 4.2.0 to 4.2.2) contain an arbitrary code execution vulnerability due to improper settings of the template engine Twig included in the product. • https://jvn.jp/en/jp/JVN29195731 • CWE-94: Improper Control of Generation of Code ('Code Injection') •