CVE-2023-47248 – PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file
https://notcve.org/view.php?id=CVE-2023-47248
Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. • https://github.com/apache/arrow/commit/f14170976372436ec1d03a724d8d3f3925484ecf https://lists.apache.org/thread/yhy7tdfjf9hrl9vfrtzo8p2cyjq87v7n https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FR34AIPXVTMB3XPRU5ULV5HHWPMRE33X https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGWEAJDWO2ACYATUQCPXLSYY5C3L3XU https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MWFYXLVBTBHNKYRXI572RFX7IJDDQGBL https://pypi.org/project/pyarrow-hotfix • CWE-502: Deserialization of Untrusted Data •
CVE-2023-0392
https://notcve.org/view.php?id=CVE-2023-0392
The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution. • https://trust.okta.com/security-advisories/okta-ldap-agent-cve-2023-0392 • CWE-428: Unquoted Search Path or Element •
CVE-2023-45849 – Arbitrary Code Execution in Helix Core
https://notcve.org/view.php?id=CVE-2023-45849
An arbitrary code execution which results in privilege escalation was discovered in Helix Core versions prior to 2023.2. • https://perforce.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-47397
https://notcve.org/view.php?id=CVE-2023-47397
WeBid <=1.2.2 is vulnerable to code injection via admin/categoriestrans.php. • https://liotree.github.io/2023/webid.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-46243 – Code execution via the edit action in XWiki platform
https://notcve.org/view.php?id=CVE-2023-46243
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. In affected versions it's possible for a user to execute any content with the right of an existing document's content author, provided the user have edit right on it. A crafted URL of the form ` /xwiki/bin/edit//?content=%7B%7Bgroovy%7D%7Dprintln%28%22Hello+from+Groovy%21%22%29%7B%7B%2Fgroovy%7D%7D&xpage=view` can be used to execute arbitrary groovy code on the server. This vulnerability has been patched in XWiki versions 14.10.6 and 15.2RC1. • https://github.com/xwiki/xwiki-platform/commit/a0e6ca083b36be6f183b9af33ae735c1e02010f4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-g2qq-c5j9-5w5w https://jira.xwiki.org/browse/XWIKI-20385 • CWE-94: Improper Control of Generation of Code ('Code Injection') •