Page 21 of 42152 results (0.064 seconds)

CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 0

Starting in version 9.7-rc-1 and prior to versions 15.10.11, 16.4.1, and 16.5.0, any user with an account can perform arbitrary remote code execution by adding instances of `XWiki.WikiMacroClass` to any page. • https://github.com/xwiki/xwiki-platform/commit/40e1afe001d61eafdf13f3621b4b597a0e58a3e3 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-2r87-74cx-2p7c https://jira.xwiki.org/browse/XWIKI-22030 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution. • https://www.dell.com/support/kbdoc/en-us/000227595/dsa-2024-355 • CWE-20: Improper Input Validation •

CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0

Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where `Extension Repository Application` is installed, any user can execute any code requiring `programming` rights on the server. • https://github.com/xwiki/xwiki-platform/commit/8659f17d500522bf33595e402391592a35a162e8 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-j2pq-22jj-4pm5 https://jira.xwiki.org/browse/XWIKI-21890 • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') CWE-863: Incorrect Authorization •

CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0

This results in writing arbitrary files to the file system which may, under some conditions, result in remote code execution (RCE). • https://github.com/ltdrdata/ComfyUI-Impact-Pack/blob/1087f2ee063c9d53cd198add79b41a7a3465c05a/modules/impact/impact_server.py#L28 https://github.com/ltdrdata/ComfyUI-Impact-Pack/commit/a43dae373e648ae0f0cc0c9768c3cea6a72acff7 • CWE-35: Path Traversal: '.../ •

CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0

This allows an attacker to craft a request that triggers a pip install on a user controlled package or URL, resulting in remote code execution (RCE) on the server. ... Esto permite que un atacante cree una solicitud que active una instalación de pip en un paquete o URL controlados por el usuario, lo que da como resultado una ejecución de código remoto (RCE) en el servidor. • https://github.com/ltdrdata/ComfyUI-Manager/blob/ffc095a3e5acc1c404773a0510e6d055a6a72b0e/glob/manager_server.py#L798 https://github.com/ltdrdata/ComfyUI-Manager/commit/ffc095a3e5acc1c404773a0510e6d055a6a72b0e • CWE-94: Improper Control of Generation of Code ('Code Injection') •