CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-1206 – AdRotate – Ad manager & AdSense Ads <= 5.13.2 - Authenticated (Admin+) Double Extension Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2022-1206
The AdRotate Banner Manager – The only ad manager you'll need plugin for WordPress is vulnerable to arbitrary file uploads due to missing file extension sanitization in the adrotate_insert_media() function in all versions up to, and including, 5.13.2. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files with double extensions on the affected site's server which may make remote code execution possible. This is only exploitable on select instances where the configuration will execute the first extension present. • https://plugins.trac.wordpress.org/browser/adrotate/trunk/adrotate-admin-manage.php#L418 https://www.wordfence.com/threat-intel/vulnerabilities/id/9f92219a-e07e-422d-a9f2-dbe4fbcd5f55?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-23729
https://notcve.org/view.php?id=CVE-2024-23729
The ColorOS Internet Browser com.heytap.browser application 45.10.3.4.1 for Android allows a remote attacker to execute arbitrary JavaScript code via the com.android.browser.RealBrowserActivity component. • https://github.com/actuator/com.heytap.browser https://play.google.com/store/apps/details?id=com.heytap.browser • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-42815
https://notcve.org/view.php?id=CVE-2024-42815
Attackers who successfully exploit this vulnerability can cause the remote target device to crash or execute arbitrary commands. • https://gist.github.com/XiaoCurry/14d46e0becd79d9bb9907f2fbe147cfe https://securityonline.info/cve-2024-42815-cvss-9-8-buffer-overflow-flaw-in-tp-link-routers-opens-door-to-rce • CWE-787: Out-of-bounds Write •
CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7910 – CodeAstro Online Railway Reservation System Profile Photo Update emp-profile-avatar.php unrestricted upload
https://notcve.org/view.php?id=CVE-2024-7910
A vulnerability was found in CodeAstro Online Railway Reservation System 1.0 and classified as critical. Affected by this issue is some unknown functionality of the file /admin/emp-profile-avatar.php of the component Profile Photo Update Handler. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • submit.391650 https://github.com/CYB84/CVE_Writeup/blob/main/Online%20Railway%20Reservation%20System/RCE%20via%20File%20Upload.md • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-43005
https://notcve.org/view.php?id=CVE-2024-43005
A reflected cross-site scripting (XSS) vulnerability in the component dl_liuyan_save.php of ZZCMS v2023 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload. • http://zzcms.net https://github.com/gkdgkd123/codeAudit/blob/main/CVE-2024-43005%20ZZCMS2023%E5%8F%8D%E5%B0%84%E5%9E%8BXSS2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •