CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42788
https://notcve.org/view.php?id=CVE-2024-42788
26 Aug 2024 — This vulnerability allows remote attackers to execute arbitrary code via "title" & "artist" parameter fields. • https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-41285
https://notcve.org/view.php?id=CVE-2024-41285
26 Aug 2024 — A stack overflow in FAST FW300R v1.3.13 Build 141023 Rel.61347n allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted file path. • https://gist.github.com/Giles-one/834b2becd7abebc3cabea0484301d149 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42789
https://notcve.org/view.php?id=CVE-2024-42789
26 Aug 2024 — This vulnerability allows remote attackers to execute arbitrary code via the "page" parameter. • https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-42790
https://notcve.org/view.php?id=CVE-2024-42790
26 Aug 2024 — This vulnerability allows remote attackers to execute arbitrary code via the "page" parameter. • https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-42787
https://notcve.org/view.php?id=CVE-2024-42787
26 Aug 2024 — This vulnerability allows remote attackers to execute arbitrary code via "title" & "description" parameter fields. • https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-45265
https://notcve.org/view.php?id=CVE-2024-45265
26 Aug 2024 — A SQL injection vulnerability in the poll component in SkySystem Arfa-CMS before 5.1.3124 allows remote attackers to execute arbitrary SQL commands via the psid parameter. • https://github.com/TheHermione/CVE-2024-45265 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43955 – WordPress Droip plugin <= 1.1.1 - Unauthenticated Arbitrary File Download/Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-43955
26 Aug 2024 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/droip/wordpress-droip-plugin-1-1-1-unauthenticated-arbitrary-file-download-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45187 – Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution
https://notcve.org/view.php?id=CVE-2024-45187
23 Aug 2024 — Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server • https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602 • CWE-266: Incorrect Privilege Assignment CWE-613: Insufficient Session Expiration •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 11CVE-2024-7954 – SPIP porte_plume Plugin Arbitrary PHP Execution
https://notcve.org/view.php?id=CVE-2024-7954
23 Aug 2024 — The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. A remote and unauthenticated attacker can execute arbitrary PHP as the SPIP user by sending a crafted HTTP request. The porte_plume plugin used by SPIP versions prior to 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to ... • https://github.com/fa-rrel/CVE-2024-7954-RCE • CWE-284: Improper Access Control •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43791 – RequestStore has Incorrect Default Permissions
https://notcve.org/view.php?id=CVE-2024-43791
23 Aug 2024 — The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. • https://github.com/steveklabnik/request_store/security/advisories/GHSA-frp2-5qfc-7r8m • CWE-276: Incorrect Default Permissions •