CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-40425
https://notcve.org/view.php?id=CVE-2024-40425
File Upload vulnerability in Nanjin Xingyuantu Technology Co Sparkshop (Spark Mall B2C Mall v.1.1.6 and before allows a remote attacker to execute arbitrary code via the contorller/common.php component. • https://gist.github.com/J1rrY-learn/26524d4714a81cf2d64583069e96f765 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39915 – Authenticated remote code execution in Thruk
https://notcve.org/view.php?id=CVE-2024-39915
This authenticated RCE in Thruk allows authorized users with network access to inject arbitrary commands via the URL parameter during PDF report generation. ... Este RCE autenticado en Thruk permite a los usuarios autorizados con acceso a la red inyectar comandos arbitrarios a través del parámetro URL durante la generación de informes PDF. • https://github.com/sni/Thruk/commit/7e7eb251e76718a07639c4781f0d959d817f173b https://github.com/sni/Thruk/security/advisories/GHSA-r7gx-h738-4w6f • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38493 – Symantec Privileged Access Manager Reflected Cross Site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-38493
A remote attacker able to convince a PAM user to click on a specially crafted link to the PAM UI web interface could potentially execute arbitrary client-side code in the context of PAM UI. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24678 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-46801 – Apache Linkis DataSource: DataSource Remote code execution vulnerability
https://notcve.org/view.php?id=CVE-2023-46801
In Apache Linkis <= 1.5.0, data source management module, when adding Mysql data source, exists remote code execution vulnerability for java version < 1.8.0_241. The deserialization vulnerability exploited through jrmp can inject malicious files into the server and execute them. This attack requires the attacker to obtain an authorized account from Linkis before it can be carried out. • https://lists.apache.org/thread/0dnzh64xy1n7qo3rgo2loz9zn7m9xgdx • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-21513
https://notcve.org/view.php?id=CVE-2024-21513
Versions of the package langchain-experimental from 0.0.15 and before 0.0.21 are vulnerable to Arbitrary Code Execution when retrieving values from the database, the code will attempt to call 'eval' on all values. An attacker can exploit this vulnerability and execute arbitrary python code if they can control the input prompt and the server is configured with VectorSQLDatabaseChain. **Notes:** Impact on the Confidentiality, Integrity and Availability of the vulnerable component: Confidentiality: Code execution happens within the impacted component, in this case langchain-experimental, so all resources are necessarily accessible. ... The unintended action that one can perform by breaking out of the app environment and exfiltrating files, making remote connections etc. happens during the post exploitation phase in the subsequent system - in this case, the OS. • https://github.com/langchain-ai/langchain/blob/672907bbbb7c38bf19787b78e4ffd7c8a9026fe4/libs/experimental/langchain_experimental/sql/vector_sql.py%23L81 https://github.com/langchain-ai/langchain/commit/7b13292e3544b2f5f2bfb8a27a062ea2b0c34561 https://security.snyk.io/vuln/SNYK-PYTHON-LANGCHAINEXPERIMENTAL-7278171 • CWE-94: Improper Control of Generation of Code ('Code Injection') •