CVE-2023-39281
https://notcve.org/view.php?id=CVE-2023-39281
A stack buffer overflow vulnerability discovered in AsfSecureBootDxe in Insyde InsydeH2O with kernel 5.0 through 5.5 allows attackers to run arbitrary code execution during the DXE phase. • https://www.insyde.com/security-pledge https://www.insyde.com/security-pledge/SA-2023054 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-46248 – Overwrite of builtin Cody commands facilitates RCE
https://notcve.org/view.php?id=CVE-2023-46248
If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. • https://github.com/sourcegraph/cody/pull/1414 https://github.com/sourcegraph/cody/security/advisories/GHSA-8wmq-fwv7-xmwq • CWE-15: External Control of System or Configuration Setting •
CVE-2023-42658 – InSpec Archive Command Vulnerable to Maliciously Crafted Profile
https://notcve.org/view.php?id=CVE-2023-42658
Archive command in Chef InSpec prior to 4.56.58 and 5.22.29 allow local command execution via maliciously crafted profile. El comando de archivo en Chef InSpec anteriores a 4.56.58 y 5.22.29 permite la ejecución de comandos locales a través de un perfil creado con fines malintencionados. • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Inspec-CVE-2023-42658 https://docs.chef.io/inspec/cli https://docs.chef.io/release_notes_inspec • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVE-2023-40050 – Automate Vulnerable to Malicious Content Uploaded Through Embedded Compliance Application
https://notcve.org/view.php?id=CVE-2023-40050
Upload profile either through API or user interface in Chef Automate prior to and including version 4.10.29 using InSpec check command with maliciously crafted profile allows remote code execution. Cargue el perfil a través de API o interfaz de usuario en Chef Automate antes de la versión 4.10.29 incluida utilizando el comando de verificación InSpec con un perfil creado con fines malintencionados que permite la ejecución remota de código. • https://community.progress.com/s/article/Product-Alert-Bulletin-October-2023-CHEF-Automate-CVE-2023-40050 https://docs.chef.io/automate/profiles https://docs.chef.io/release_notes_automate • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2023-43792 – baserCMS Code Injection Vulnerability in Mail Form Feature
https://notcve.org/view.php?id=CVE-2023-43792
In versions 4.6.0 through 4.7.6, there is a Code Injection vulnerability in the mail form of baserCMS. • https://basercms.net/security/JVN_45547161 https://github.com/baserproject/basercms/security/advisories/GHSA-vrm6-c878-fpq6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •