CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-45161 – 1E-Exchange-URLResponseTime instruction before v20.1 allows arbitrary code execution
https://notcve.org/view.php?id=CVE-2023-45161
06 Nov 2023 — The 1E-Exchange-URLResponseTime instruction that is part of the Network product pack available on the 1E Exchange does not properly validate the URL parameter, which allows for a specially crafted input to perform arbitrary code execution with SYSTEM permissions. • https://exchange.1e.com/product-packs/network • CWE-20: Improper Input Validation •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46947
https://notcve.org/view.php?id=CVE-2023-46947
03 Nov 2023 — Subrion 4.2.1 has a remote command execution vulnerability in the backend. Subrion 4.2.1 tiene una vulnerabilidad de ejecución remota de comandos en el backend. • https://github.com/intelliants/subrion/issues/909 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46404
https://notcve.org/view.php?id=CVE-2023-46404
03 Nov 2023 — PCRS <= 3.11 (d0de1e) “Questions” page and “Code editor” page are vulnerable to remote code execution (RCE) by escaping Python sandboxing. PCRS en versiones <= 3.11 (d0de1e) La página “Questions” y la página “Code editor” son vulnerables a la Ejecución Remota de Código (RCE) al escapar de la sandbox de Python. • https://github.com/windecks/CVE-2023-46404 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2023-46980
https://notcve.org/view.php?id=CVE-2023-46980
03 Nov 2023 — An issue in Best Courier Management System v.1.0 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted script to the userID parameter. Un problema en Best Courier Management System v.1.0 permite a un atacante remoto ejecutar código arbitrario y escalar privilegios a través de un script manipulado al parámetro ID de usuario. • https://github.com/sajaljat/CVE-2023-46980 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46958
https://notcve.org/view.php?id=CVE-2023-46958
02 Nov 2023 — An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file. Un problema en lmxcms v.1.41 permite a un atacante remoto ejecutar código arbitrario a través de un script manipulado en el archivo admin.php. • http://lmxcms.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.2EPSS: 0%CPEs: 13EXPL: 0CVE-2023-20063 – Cisco Cisco Firepower Threat Defense Software and Cisco Firepower Management Center Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2023-20063
01 Nov 2023 — A vulnerability in the inter-device communication mechanisms between devices that are running Cisco Firepower Threat Defense (FTD) Software and devices that are running Cisco Firepower Management (FMC) Software could allow an authenticated, local attacker to execute arbitrary commands with root permissions on the underlying operating system of an affected device. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by accessing the expert ... • https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ftd-fmc-code-inj-wSHrgz8L • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 305EXPL: 0CVE-2023-39281
https://notcve.org/view.php?id=CVE-2023-39281
01 Nov 2023 — A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to run arbitrary code execution during the DXE phase. • https://www.insyde.com/security-pledge • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-46248 – Overwrite of builtin Cody commands facilitates RCE
https://notcve.org/view.php?id=CVE-2023-46248
31 Oct 2023 — If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. • https://github.com/sourcegraph/cody/pull/1414 • CWE-15: External Control of System or Configuration Setting •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-42658 – InSpec Archive Command Vulnerable to Maliciously Crafted Profile
https://notcve.org/view.php?id=CVE-2023-42658
31 Oct 2023 — Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile. El comando de archivo en Chef InSpec anteriores a 4.56.58 y 5.22.29 permite la ejecución de comandos locales a través de un perfil creado con fines malintencionados. • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40050 – Automate Vulnerable to Malicious Content Uploaded Through Embedded Compliance Application
https://notcve.org/view.php?id=CVE-2023-40050
31 Oct 2023 — Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution. Cargue el perfil a través de API o interfaz de usuario en Chef Automate antes de la versión 4.10.29 incluida utilizando el comando de verificación InSpec con un perfil creado con fines malintencionados que permite la ejecución remota de código. Upload profile either through API or user interface in Chef Automate ... • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •