CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51503 – Trend Micro Deep Security Agent Manual Scan Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-51503
A security agent manual scan command injection vulnerability in the Trend Micro Deep Security 20 Agent could allow an attacker to escalate privileges and execute arbitrary code on an affected machine. In certain circumstances, attackers that have legitimate access to the domain may be able to remotely inject commands to other machines in the same domain. Please note: an attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability locally and must have domain user privileges to affect other machines. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Deep Security Agent. ... The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://success.trendmicro.com/en-US/solution/KA-0018154 https://www.zerodayinitiative.com/advisories/ZDI-24-1516 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10899 – WooCommerce Product Table Lite <= 3.8.6 - Unauthenticated Arbitrary Shortcode Execution & Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-10899
The The WooCommerce Product Table Lite plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 3.8.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/wc-product-table-lite/tags/3.8.6/main.php#L1778 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3190789%40wc-product-table-lite&new=3190789%40wc-product-table-lite&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/c9b010ff-8a4a-4553-bb2b-d58a254d7ee4?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10913 – Clone <= 2.4.6 - Unauthenticated PHP Object Injection via 'recursive_unserialized_replace'
https://notcve.org/view.php?id=CVE-2024-10913
If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://plugins.trac.wordpress.org/browser/wp-clone-by-wp-academy//tags/2.4.6/lib/icit_srdb_replacer.php#L24 https://plugins.trac.wordpress.org/browser/wp-clone-by-wp-academy/tags/2.4.7/lib/icit_srdb_replacer.php#L24 https://www.wordfence.com/threat-intel/vulnerabilities/id/16569267-ab52-4b96-86f0-d37c470a3938?source=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48069
https://notcve.org/view.php?id=CVE-2024-48069
A remote code execution (RCE) vulnerability in the component /inventory/doCptimpoptInventory of Weaver Ecology v9.* allows attackers to execute arbitrary code via injecting a crafted payload into the name of an uploaded file. • https://gist.github.com/CoinIsMoney/5dd555805e8f974630ced8a1df8182f1 https://github.com/stuven1989/TemporaryGuild/blob/main/guild2.md • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48694
https://notcve.org/view.php?id=CVE-2024-48694
File Upload vulnerability in Xi'an Daxi Information technology OfficeWeb365 v.8.6.1.0 and v7.18.23.0 allows a remote attacker to execute arbitrary code via the pw/savedraw component. • https://avd.aliyun.com/detail?id=AVD-2023-1678930 https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/32024c5dbb7ff60fa7347cccf6ebb3763a513e7a/docs/wiki/webapp/OfficeWeb365/OfficeWeb365%20SaveDraw%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md?plain=1#L24 https://github.com/Threekiii/Vulnerability-Wiki/blob/master/docs-base/docs/webapp/OfficeWeb365-SaveDraw-%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md https:/&# • CWE-94: Improper Control of Generation of Code ('Code Injection') •