CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5651 – Fence-agents-remediation: fence agent command line options leads to remote code execution
https://notcve.org/view.php?id=CVE-2024-5651
This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges. ... This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. ... This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges. • https://access.redhat.com/security/cve/CVE-2024-5651 https://bugzilla.redhat.com/show_bug.cgi?id=2290540 https://access.redhat.com/errata/RHSA-2024:5453 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-40500
https://notcve.org/view.php?id=CVE-2024-40500
Cross Site Scripting vulnerability in Martin Kucej i-librarian v.5.11.0 and before allows a local attacker to execute arbitrary code via the search function in the import component. • https://github.com/nitipoom-jar/CVE-2024-40500 https://nitipoom-jar.github.io/CVE-2024-40500 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43249 – WordPress Bit Form Pro plugin <= 2.6.4 - Authenticated Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-43249
The Bit Form Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/bitformpro/wordpress-bit-form-pro-plugin-2-6-4-authenticated-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-33536
https://notcve.org/view.php?id=CVE-2024-33536
The vulnerability occurs due to inadequate input validation of the res parameter, allowing an authenticated attacker to inject and execute arbitrary JavaScript code within the context of another user's browser session. ... Subsequently, when another user visits the crafted URL, the malicious JavaScript code is executed. • https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.8#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P40#Security_Fixes •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-41651
https://notcve.org/view.php?id=CVE-2024-41651
An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. An issue in Prestashop v.8.1.7 and before allows a remote attacker to execute arbitrary code via the module upgrade functionality. NOTE: this is disputed by multiple parties, who report that exploitation requires that an attacker be able to hijack network requests made by an admin user (who, by design, is allowed to change the code that is running on the server). • https://github.com/Fckroun/CVE-2024-41651 https://github.com/Fckroun/CVE-2024-41651/tree/main • CWE-94: Improper Control of Generation of Code ('Code Injection') •