CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41859 – After Effects | Out-of-bounds Write (CWE-787)
https://notcve.org/view.php?id=CVE-2024-41859
After Effects versions 23.6.6, 24.5 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/after_effects/apsb24-55.html • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7129 – Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
https://notcve.org/view.php?id=CVE-2024-7129
The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins • https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4 •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8479 – Simple Spoiler 1.2 - 1.3 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-8479
The The Simple Spoiler plugin for WordPress is vulnerable to arbitrary shortcode execution in versions 1.2 to 1.3. ... This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/simple-spoiler/trunk/simple-spoiler.php#L108 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3151179%40simple-spoiler&new=3151179%40simple-spoiler&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/8ffc76d8-b841-4c26-bbc6-1f96664efe36?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-44430
https://notcve.org/view.php?id=CVE-2024-44430
SQL Injection vulnerability in Best Free Law Office Management Software-v1.0 allows an attacker to execute arbitrary code and obtain sensitive information via a crafted payload to the kortex_lite/control/register_case.php interface • https://blog.csdn.net/samwbs/article/details/140954482 https://github.com/samwbs/kortexcve/blob/main/xss_register_case/XSS_register_case.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8242 – MStore API – Create Native Android & iOS Apps On The Cloud <= 4.15.3 - Authenticated (Subscriber+) Limited Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8242
The MStore API – Create Native Android & iOS Apps On The Cloud plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the update_user_profile() function in all versions up to, and including, 4.15.3. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files (not including PHP files) on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/mstore-api/trunk/controllers/flutter-user.php#L1053 https://plugins.trac.wordpress.org/changeset/3147900/mstore-api/trunk/controllers/flutter-user.php https://plugins.trac.wordpress.org/changeset/3147900/mstore-api/trunk/functions/index.php https://www.wordfence.com/threat-intel/vulnerabilities/id/fe3834a6-a6f5-4cc7-951e-a6ada6346b07?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •