CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50611
https://notcve.org/view.php?id=CVE-2024-50611
27 Oct 2024 — CycloneDX cdxgen through 10.10.7, when run against an untrusted codebase, may execute code contained within build-related files such as build.gradle.kts, a similar issue to CVE-2022-24441. cdxgen is used by, for example, OWASP dep-scan. • https://github.com/CycloneDX/cdxgen/issues/1328 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9162 – All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
https://notcve.org/view.php?id=CVE-2024-9162
27 Oct 2024 — The All-in-One WP Migration and Backup plugin for WordPress is vulnerable to arbitrary PHP Code Injection due to missing file type validation during the export in all versions up to, and including, 7.86. This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code executionCode ('Code Injection') •
CVSS: 10.0EPSS: 97%CPEs: 4EXPL: 3CVE-2024-50623 – Cleo Multiple Products Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2024-50623
27 Oct 2024 — In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. Cleo Harmony, VLTrader, and LexiCom, which are managed file transfer products, contain an unrestricted file upload and download vulnerability that can lead to remote code execution with elevated privileges. • https://github.com/watchtowrlabs/CVE-2024-50623 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47821 – pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
https://notcve.org/view.php?id=CVE-2024-47821
25 Oct 2024 — By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions on the 0.5 branch prior to 0.5.0b3.dev87. ... This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary<... • https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9772 – Uix Shortcodes – Compatible with Gutenberg <= 1.9.9 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-9772
25 Oct 2024 — The The Uix Shortcodes – Compatible with Gutenberg plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.9. ... This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/uix-shortcodes/trunk/shortcodes/templates/default/frontpage-init.php#L9 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49380 – Plenti arbitrary file write vulnerability
https://notcve.org/view.php?id=CVE-2024-49380
25 Oct 2024 — Plenti, a static site generator, has an arbitrary file write vulnerability in versions prior to 0.7.2. The `/postLocal` endpoint is vulnerable to an arbitrary file write vulnerability when a plenti user serves their website. This issue may lead to Remote Code Execution. • https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49378 – smartUp Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-49378
25 Oct 2024 — The vulnerability allows another extension to execute arbitrary code in the context of the user’s tab. • https://github.com/zimocode/smartup/blob/2144ec161697751b1a6702f1af866726ea689e4e/js/background.js#L3800 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47158
https://notcve.org/view.php?id=CVE-2024-47158
25 Oct 2024 — N-LINE 2.0.6 and prior versions contain a code injection vulnerability. If this vulnerability is exploited, arbitrary code may be executed on the instructor's browser, or the instructor may be directed to a malicious website. • https://jvn.jp/en/jp/JVN57285747 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2022-30268
https://notcve.org/view.php?id=CVE-2022-30268
25 Oct 2024 — This could allow an attacker to push malicious firmware images to the controller and cause a denial-of-service condition or allow remote code execution. •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2023-20577
https://notcve.org/view.php?id=CVE-2023-20577
25 Oct 2024 — A heap overflow in SMM module may allow an attacker with access to a second vulnerability that enables writing to SPI flash, potentially resulting in arbitrary code execution. •