CVE-2023-37909 – Privilege escalation (PR)/remote code execution from account through Menu.UIExtensionSheet
https://notcve.org/view.php?id=CVE-2023-37909
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 5.1-rc-1 and prior to versions 14.10.8 and 15.3-rc-1, any user who can edit their own user profile can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.8 and 15.3-rc-1 by adding proper escaping. As a workaround, the patch can be manually applied to the document `Menu.UIExtensionSheet`; only three lines need to be changed. XWiki Platform es una plataforma wiki genérica que ofrece servicios de ejecución para aplicaciones creadas sobre ella. • https://github.com/xwiki/xwiki-platform/commit/9e8f080094333dec63a8583229a3799208d773be https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-v2rr-xw95-wcjx https://jira.xwiki.org/browse/XWIKI-20746 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2023-30912 – Hewlett Packard Enterprise OneView Backup Hard-coded Cryptographic Key Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-30912
A remote code execution issue exists in HPE OneView. Existe un problema de ejecución remota de código en HPE OneView. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise OneView. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The specific flaw exists within the Backup functionality. The issue results from the product's use of a hard-coded cryptographic key. • https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04548en_us • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-46010
https://notcve.org/view.php?id=CVE-2023-46010
An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary commands via the admin_safe.php component. Un problema en SeaCMS v.12.9 permite a un atacante ejecutar comandos arbitrarios a través del componente admin_safe.php. • http://seacms.com https://blog.csdn.net/DGS666/article/details/133795200?spm=1001.2014.3001.5501 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-28796 – IPC Bypass Through PLT Section in ELF
https://notcve.org/view.php?id=CVE-2023-28796
Improper Verification of Cryptographic Signature vulnerability in Zscaler Client Connector on Linux allows Code Injection. • https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.3.1&deployment_date=2022-09-19 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-347: Improper Verification of Cryptographic Signature •
CVE-2023-28793 – Heap Based Buffer Overflow in Library
https://notcve.org/view.php?id=CVE-2023-28793
Buffer overflow vulnerability in the signelf library used by Zscaler Client Connector on Linux allows Code Injection. • https://help.zscaler.com/client-connector/client-connector-app-release-summary-2022?applicable_category=Linux&applicable_version=1.3.1&deployment_date=2022-09-19 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-787: Out-of-bounds Write •