CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35152 – XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
https://notcve.org/view.php?id=CVE-2023-35152
23 Jun 2023 — XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually. • https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2023-35150 – XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application
https://notcve.org/view.php?id=CVE-2023-35150
23 Jun 2023 — XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8. • https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 7.2EPSS: 0%CPEs: 62EXPL: 0CVE-2023-32480
https://notcve.org/view.php?id=CVE-2023-32480
23 Jun 2023 — An unauthenticated physical attacker may potentially exploit this vulnerability to perform arbitrary code execution. • https://www.dell.com/support/kbdoc/en-us/000214779/dsa-2023-175-dell-client-bios-security-update-for-an-improper-input-validation-vulnerability • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-23539
https://notcve.org/view.php?id=CVE-2023-23539
23 Jun 2023 — Mounting a maliciously crafted Samba network share may lead to arbitrary code execution. • https://support.apple.com/en-us/HT213605 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32439 – Apple Multiple Products WebKit Type Confusion Vulnerability
https://notcve.org/view.php?id=CVE-2023-32439
23 Jun 2023 — Processing maliciously crafted web content may lead to arbitrary code execution. ... This issue occurs when processing maliciously crafted web content, which may lead to arbitrary code execution. ... If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution. • https://security.gentoo.org/glsa/202401-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 10.0EPSS: 0%CPEs: 6EXPL: 0CVE-2023-32435 – Apple Multiple Products WebKit Memory Corruption Vulnerability
https://notcve.org/view.php?id=CVE-2023-32435
23 Jun 2023 — Processing web content may lead to arbitrary code execution. ... This issue occurs when processing web content, which may lead to arbitrary code execution. • https://support.apple.com/en-us/HT213670 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-787: Out-of-bounds Write •
CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2023-35174 – Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows
https://notcve.org/view.php?id=CVE-2023-35174
22 Jun 2023 — On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser. • https://github.com/livebook-dev/livebook/commit/2e11b59f677c6ed3b6aa82dad412a8b3406ffdf1 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2023-35926 – Insecure sandbox in Backstage Scaffolder plugin
https://notcve.org/view.php?id=CVE-2023-35926
22 Jun 2023 — The Backstage scaffolder-backend plugin uses a templating library that requires sandbox, as it by design allows for code injection. • https://github.com/backstage/backstage/commit/fb7375507d56faedcb7bb3665480070593c8949a • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-3110 – Buffer overflow in S0 Decryption on Unify Gateway
https://notcve.org/view.php?id=CVE-2023-3110
21 Jun 2023 — Description: A vulnerability in SiLabs Unify Gateway 1.3.1 and earlier allows an unauthenticated attacker within Z-Wave range to overflow a stack buffer, leading to arbitrary code execution. • https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000V6HZzQAN?operationContext=S1 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0972 – Buffer overflow in S0 Decryption on Z/IP Gatweay
https://notcve.org/view.php?id=CVE-2023-0972
21 Jun 2023 — Description: A vulnerability in SiLabs Z/IP Gateway 7.18.01 and earlier allows an unauthenticated attacker within Z-Wave range to overflow a stack buffer, leading to arbitrary code execution. • https://siliconlabs.lightning.force.com/sfc/servlet.shepherd/document/download/0698Y00000V6HZzQAN?operationContext=S1 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •