CVE-2024-10629 – GPX Viewer <= 2.2.8 - Authenticated (Subscriber+) Arbitrary File Creation
https://notcve.org/view.php?id=CVE-2024-10629
The GPX Viewer plugin for WordPress is vulnerable to arbitrary file creation due to a missing capability check and file type validation in the gpxv_file_upload() function in all versions up to, and including, 2.2.8. This makes it possible for authenticated attackers, with subscriber-level access and above, to create arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/gpx-viewer/tags/2.2.9/gpx-viewer-admin.php#L144 https://www.wordfence.com/threat-intel/vulnerabilities/id/cfc6ff21-52f5-453f-bf97-881c39be1aeb?source=cve • CWE-862: Missing Authorization •
CVE-2024-50557
https://notcve.org/view.php?id=CVE-2024-50557
This could allow an unauthenticated remote attacker to execute arbitrary code on the device. • https://cert-portal.siemens.com/productcert/html/ssa-354112.html • CWE-20: Improper Input Validation •
CVE-2024-47942
https://notcve.org/view.php?id=CVE-2024-47942
The affected applications suffer from a DLL hijacking vulnerability. This could allow an attacker to execute arbitrary code via placing a crafted DLL file on the system. • https://cert-portal.siemens.com/productcert/html/ssa-351178.html • CWE-427: Uncontrolled Search Path Element •
CVE-2024-46890
https://notcve.org/view.php?id=CVE-2024-46890
This could allow an authenticated remote attacker with high privileges on the application to execute arbitrary code on the underlying OS. • https://cert-portal.siemens.com/productcert/html/ssa-915275.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-44102
https://notcve.org/view.php?id=CVE-2024-44102
This could allow the attacker to execute arbitrary code on the device with SYSTEM privileges. • https://cert-portal.siemens.com/productcert/html/ssa-454789.html • CWE-502: Deserialization of Untrusted Data •