CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-29145
https://notcve.org/view.php?id=CVE-2023-29145
30 Jun 2023 — The Malwarebytes EDR 1.0.11 for Linux driver doesn't properly ensure whitelisting of executable libraries loaded by executable files, allowing arbitrary code execution. • https://malwarebytes.com • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 9.9EPSS: 1%CPEs: 5EXPL: 2CVE-2023-36469 – Code injection through NotificationRSSService in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36469
29 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.6 and 15.2RC1. Users are advised to update. As a workaround the main security fix can be manually applied by patching the affect... • https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.9EPSS: 1%CPEs: 5EXPL: 2CVE-2023-36470 – Code injection in icon themes of XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36470
29 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inject XWiki syntax and Velocity code that is executed with programming rights and thus allows remote code execution. There are different attack vectors, the simplest is the Velocity code in the icon set's HTML or XWiki syntax definition. The [icon picker](https://extensions.xwiki.org/xwiki/bin/view/Extension/Icon%... • https://github.com/xwiki/xwiki-platform/commit/46b542854978e9caa687a5c2b8817b8b17877d94 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-33466 – Debian Security Advisory 5473-1
https://notcve.org/view.php?id=CVE-2023-33466
29 Jun 2023 — Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE). Orthanc antes de 1.12.0 permite a los usuarios autenticados con acceso a la API de Orthanc sobrescribir archivos arbitrarios en el sistema de archivos y, en escenarios de implementación específicos, permite al atacante sobrescribir... • https://discourse.orthanc-server.org/t/security-advisory-for-orthanc-deployments-running-versions-before-1-12-0/3568 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27866 – IBM Informix JDBC code execution
https://notcve.org/view.php?id=CVE-2023-27866
28 Jun 2023 — IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Force ID: 249511. • https://exchange.xforce.ibmcloud.com/vulnerabilities/249511 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36467 – AWS data.all vulnerable to RCE through user injection of Python Commands
https://notcve.org/view.php?id=CVE-2023-36467
28 Jun 2023 — AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around. • https://github.com/awslabs/aws-dataall/pull/472 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33570
https://notcve.org/view.php?id=CVE-2023-33570
28 Jun 2023 — Bagisto v1.5.1 is vulnerable to Server-Side Template Injection (SSTI). • https://siltonrenato02.medium.com/a-brief-summary-about-a-ssti-to-rce-in-bagisto-e900ac450490 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-31635
https://notcve.org/view.php?id=CVE-2021-31635
26 Jun 2023 — Server-Side Template Injection (SSTI) vulnerability in jFinal v.4.9.08 allows a remote attacker to execute arbitrary code via the template function. • https://github.com/jfinal/jfinal/issues/187 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2015-20109 – Ubuntu Security Notice USN-6762-1
https://notcve.org/view.php?id=CVE-2015-20109
25 Jun 2023 — It was discovered that GNU C Library when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. • https://security.netapp.com/advisory/ntap-20230731-0009 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3393 – Code Injection in fossbilling/fossbilling
https://notcve.org/view.php?id=CVE-2023-3393
23 Jun 2023 — Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. • https://github.com/fossbilling/fossbilling/commit/47343fb58db5c17c14bc6941dacbeb9c96957351 • CWE-94: Improper Control of Generation of Code ('Code Injection') •