CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8614 – WP JobSearch <= 2.6.7 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8614
05 Nov 2024 — The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_wp_handle_upload() function in all versions up to, and including, 2.6.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8615 – WP JobSearch <= 2.6.7 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8615
05 Nov 2024 — The JobSearch WP Job Board plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the jobsearch_location_load_excel_file_callback() function in all versions up to, and including, 2.6.7. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/jobsearch-wp-job-board-wordpress-plugin/21066856 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51735 – Stored Cross-site Scripting to RCE on Osmedeus Web Server
https://notcve.org/view.php?id=CVE-2024-51735
05 Nov 2024 — Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template.The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS... • https://github.com/j3ssie/osmedeus/security/advisories/GHSA-wvv7-wm5v-w2gv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50333 – RCE in ModuleBuilder in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50333
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89 • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9307 – mFolio Lite <= 1.2.1 - Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG Files
https://notcve.org/view.php?id=CVE-2024-9307
05 Nov 2024 — This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file. • https://wordpress.org/plugins/mfolio-lite/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50138 – bpf: Use raw_spinlock_t in ringbuf
https://notcve.org/view.php?id=CVE-2024-50138
05 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/457f44363a8894135c85b7a9afd2bd8196db24ab •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2024-50135 – nvme-pci: fix race condition between reset and nvme_dev_disable()
https://notcve.org/view.php?id=CVE-2024-50135
05 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/949928c1c731417cc0f070912c63878b62b544f4 •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50134 – drm/vboxvideo: Replace fake VLA at end of vbva_mouse_pointer_shape with real VLA
https://notcve.org/view.php?id=CVE-2024-50134
05 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/dd55d44f408419278c00887bfcb2261d0caae350 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-50133 – LoongArch: Don't crash in stack_top() for tasks without vDSO
https://notcve.org/view.php?id=CVE-2024-50133
05 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/803b0fc5c3f2baa6e54978cd576407896f789b08 •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50132 – tracing/probes: Fix MAX_TRACE_ARGS limit handling
https://notcve.org/view.php?id=CVE-2024-50132
05 Nov 2024 — An attacker could use a specially crafted file system image that, when mounted, could cause a denial of service or possibly execute arbitrary code. • https://git.kernel.org/stable/c/035ba76014c096316fa809a46ce0a1b9af1cde0d •