CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43955 – WordPress Droip plugin <= 1.1.1 - Unauthenticated Arbitrary File Download/Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-43955
26 Aug 2024 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/droip/wordpress-droip-plugin-1-1-1-unauthenticated-arbitrary-file-download-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45187 – Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution
https://notcve.org/view.php?id=CVE-2024-45187
23 Aug 2024 — Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server • https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602 • CWE-266: Incorrect Privilege Assignment CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 11CVE-2024-7954 – SPIP porte_plume Plugin Arbitrary PHP Execution
https://notcve.org/view.php?id=CVE-2024-7954
23 Aug 2024 — The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. The porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an a... • https://github.com/fa-rrel/CVE-2024-7954-RCE • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43791 – RequestStore has Incorrect Default Permissions
https://notcve.org/view.php?id=CVE-2024-43791
23 Aug 2024 — The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. • https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m • CWE-276: Incorrect Default Permissions •
CVSS: 9.0EPSS: 0%CPEs: 5EXPL: 0CVE-2024-5466 – Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5466
23 Aug 2024 — Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. • https://www.manageengine.com/itom/advisory/cve-2024-5466.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.4EPSS: 0%CPEs: 8EXPL: 0CVE-2024-43883 – usb: vhci-hcd: Do not drop references before new references are gained
https://notcve.org/view.php?id=CVE-2024-43883
23 Aug 2024 — An attacker with access to the VMM could use this to cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/5a3c473b28ae1c1f7c4dc129e30cb19ae6e96f89 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-7129 – Appointment Booking Calendar < 1.6.7.43 - Admin+ Template Injection to RCE
https://notcve.org/view.php?id=CVE-2024-7129
23 Aug 2024 — The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin WordPress plugin before 1.6.7.43 does not escape template syntax provided via user input, leading to Twig Template Injection which further exploited can result to remote code Execution by high privilege such as admins The Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and includi... • https://wpscan.com/vulnerability/00ad9b1a-97a5-425f-841e-ea48f72ecda4 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7772 – Jupiter X Core <= 4.6.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7772
23 Aug 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/jupiterx-core/trunk/includes/extensions/raven/includes/modules/forms/classes/ajax-handler.php • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42756
https://notcve.org/view.php?id=CVE-2024-42756
23 Aug 2024 — An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page • https://github.com/Nop3z/CVE/blob/main/Netgear/Netgear%20DGN1000%20RCE/Netgear%20DGN1000%20RCE.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42918
https://notcve.org/view.php?id=CVE-2024-42918
23 Aug 2024 — itsourcecode Online Accreditation Management System contains a Cross Site Scripting vulnerability, which allows an attacker to execute arbitrary code via a crafted payload to the SCHOOLNAME, EMAILADDRES, CONTACTNO, COMPANYNAME and COMPANYCONTACTNO parameters in controller.php. • https://github.com/n00bS3cLe4rner/CVE-s/blob/main/CVE-2024-42918.md •