CVE-2023-6288
https://notcve.org/view.php?id=CVE-2023-6288
Code injection in Remote Desktop Manager 2023.3.9.3 and earlier on macOS allows an attacker to execute code via the DYLIB_INSERT_LIBRARIES environment variable. • https://devolutions.net/security/advisories/DEVO-2023-0021 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-49297 – Unsafe YAML deserialization in PyDrive2
https://notcve.org/view.php?id=CVE-2023-49297
Unsafe YAML deserilization will result in arbitrary code execution. A maliciously crafted YAML file can cause arbitrary code execution if PyDrive2 is run in the same directory as it, or if it is loaded in via `LoadSettingsFile`. • https://github.com/iterative/PyDrive2/commit/c57355dc2033ad90b7050d681b2c3ba548ff0004 https://github.com/iterative/PyDrive2/security/advisories/GHSA-v5f6-hjmf-9mc5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CYR5SJKOFSSXFV3E3D2SLXBUBA5WMJJG https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K34YWTDKBAYWZPOAKBYDM72WIFL5CAYW • CWE-502: Deserialization of Untrusted Data •
CVE-2023-49070 – Pre-auth RCE in Apache Ofbiz 18.12.09 due to XML-RPC still present
https://notcve.org/view.php?id=CVE-2023-49070
Pre-auth RCE in Apache Ofbiz 18.12.09. It's due to XML-RPC no longer maintained still present. This issue affects Apache OFBiz: before 18.12.10. Users are recommended to upgrade to version 18.12.10 RCE de autorización previa en Apache Ofbiz 18.12.09. Se debe a que XML-RPC ya no se mantiene presente. Este problema afecta a Apache OFBiz: antes del 18.12.10. Se recomienda a los usuarios actualizar a la versión 18.12.10 Apache OFBiz version 18.12.09 suffers from a pre-authentication remote code execution vulnerability. • https://github.com/UserConnecting/Exploit-CVE-2023-49070-and-CVE-2023-51467-Apache-OFBiz https://github.com/0xrobiul/CVE-2023-49070 https://github.com/Praison001/Apache-OFBiz-Auth-Bypass-and-RCE-Exploit-CVE-2023-49070-CVE-2023-51467 https://github.com/abdoghazy2015/ofbiz-CVE-2023-49070-RCE-POC http://packetstormsecurity.com/files/176323/Apache-OFBiz-18.12.09-Remote-Code-Execution.html https://issues.apache.org/jira/browse/OFBIZ-12812 https://lists.apache.org/thread/jmbqk2lp4t4483whzndp5xqlq4f3otg3 https • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-49830 – WordPress Astra Pro Plugin <= 4.3.1 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-49830
Improper Control of Generation of Code ('Code Injection') vulnerability in Brainstorm Force Astra Pro.This issue affects Astra Pro: from n/a through 4.3.1. • https://patchstack.com/database/vulnerability/astra-addon/wordpress-astra-pro-plugin-4-3-1-contributor-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-49291 – Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
https://notcve.org/view.php?id=CVE-2023-49291
tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The `tj-actions/branch-names` GitHub Actions improperly references the `github.event.pull_request.head.ref` and `github.head_ref` context variables within a GitHub Actions `run` step. The head ref variable is the branch name and can be used to execute arbitrary code using a specially crafted branch name. As a result an attacker can use this vulnerability to steal secrets from or abuse `GITHUB_TOKEN` permissions. This vulnerability has been addressed in version 7.0.7. • https://github.com/tj-actions/branch-names/commit/4923d1ca41f928c24f1c1b3af9daaadfb71e6337 https://github.com/tj-actions/branch-names/commit/6c999acf206f5561e19f46301bb310e9e70d8815 https://github.com/tj-actions/branch-names/commit/726fe9ba5e9da4fcc716223b7994ffd0358af060 https://github.com/tj-actions/branch-names/security/advisories/GHSA-8v8w-v8xg-79rf https://securitylab.github.com/research/github-actions-untrusted-input • CWE-20: Improper Input Validation •