CVE-2023-38221 – Adobe Commerce | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)
https://notcve.org/view.php?id=CVE-2023-38221
Adobe Commerce versions 2.4.7-beta1 (and earlier), 2.4.6-p2 (and earlier), 2.4.5-p4 (and earlier) and 2.4.4-p5 (and earlier) are affected by an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that could lead in arbitrary code execution by an admin-privilege authenticated attacker. • https://helpx.adobe.com/security/products/magento/apsb23-50.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2023-45133 – Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
https://notcve.org/view.php?id=CVE-2023-45133
In `@babel/traverse` prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of `babel-traverse`, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the `path.evaluate()`or `path.evaluateTruthy()` internal Babel methods. • https://github.com/babel/babel/commit/b13376b346946e3f62fc0848c1d2a23223314c82 https://github.com/babel/babel/pull/16033 https://github.com/babel/babel/releases/tag/v7.23.2 https://github.com/babel/babel/releases/tag/v8.0.0-alpha.4 https://github.com/babel/babel/security/advisories/GHSA-67hx-6x53-jw92 https://lists.debian.org/debian-lts-announce/2023/10/msg00026.html https://www.debian.org/security/2023/dsa-5528 • CWE-184: Incomplete List of Disallowed Inputs CWE-697: Incorrect Comparison •
CVE-2023-27395
https://notcve.org/view.php?id=CVE-2023-27395
A specially crafted network packet can lead to arbitrary code execution. • https://talosintelligence.com/vulnerability_reports/TALOS-2023-1735 https://www.softether.org/9-about/News/904-SEVPN202301 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2023-29453 – Agent 2 package are built with Go version affected by CVE-2023-24538
https://notcve.org/view.php?id=CVE-2023-29453
Templates do not properly consider backticks (`) as Javascript string delimiters, and do not escape them as expected. Backticks are used, since ES6, for JS template literals. If a template contains a Go template action within a Javascript template literal, the contents of the action can be used to terminate the literal, injecting arbitrary Javascript code into the Go template. As ES6 template literals are rather complex, and themselves can do string interpolation, the decision was made to simply disallow Go template actions from being used inside of them (e.g., "var a = {{.}}"), since there is no obviously safe way to allow this behavior. This takes the same approach as github.com/google/safehtml. • https://support.zabbix.com/browse/ZBX-23388 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-45751 – WordPress Nexter Extension Plugin <= 2.0.3 is vulnerable to Remote Code Execution (RCE)
https://notcve.org/view.php?id=CVE-2023-45751
Improper Control of Generation of Code ('Code Injection') vulnerability in POSIMYTH Nexter Extension.This issue affects Nexter Extension: from n/a through 2.0.3. • https://patchstack.com/database/vulnerability/nexter-extension/wordpress-nexter-extension-plugin-2-0-3-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •