CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-6345 – Remote Code Execution in pypa/setuptools
https://notcve.org/view.php?id=CVE-2024-6345
A vulnerability in the package_index module of pypa/setuptools versions up to 69.1.1 allows for remote code execution via its download functions. These functions, which are used to download packages from URLs provided by users or retrieved from package index servers, are susceptible to code injection. If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. ... Affected versions of this package allow remote code execution via its download functions. ... If these functions are exposed to user-controlled inputs, such as package URLs, they can execute arbitrary commands on the system. • https://github.com/pypa/setuptools/commit/88807c7062788254f654ea8c03427adc859321f0 https://huntr.com/bounties/d6362117-ad57-4e83-951f-b8141c6e7ca5 https://access.redhat.com/security/cve/CVE-2024-6345 https://bugzilla.redhat.com/show_bug.cgi?id=2297771 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-40524
https://notcve.org/view.php?id=CVE-2024-40524
Directory Traversal vulnerability in xmind2testcase v.1.5 allows a remote attacker to execute arbitrary code via the webtool\application.py component. • https://www.yuque.com/iceqaq/rtn9q7/cdd9w9phgxuqy4to • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-39841 – Centreon testServiceExistence SQL Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-39841
A SQL Injection vulnerability exists in the service configuration functionality in Centreon Web 24.04.x before 24.04.3, 23.10.x before 23.10.13, 23.04.x before 23.04.19, and 22.10.x before 22.10.23. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Centreon. ... An attacker can leverage this vulnerability to execute code in the context of the apache user. • https://github.com/centreon/centreon/releases https://thewatch.centreon.com/latest-security-bulletins-64/security-bulletin-for-centreon-web-3744 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36522 – Apache Wicket: Remote code execution via XSLT injection
https://notcve.org/view.php?id=CVE-2024-36522
The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue. • http://www.openwall.com/lists/oss-security/2024/07/12/2 https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-6396 – Arbitrary File Overwrite and Data Exfiltration in aimhubio/aim
https://notcve.org/view.php?id=CVE-2024-6396
A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. ... This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution. • https://huntr.com/bounties/c1b17afd-4656-47bb-8310-686a9e1b04a0 • CWE-29: Path Traversal: '\..\filename' •