CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7257 – YayExtra – WooCommerce Extra Product Options <= 1.3.7 - Unauthenticated Arbitrary File Upload via handle_upload_file Function
https://notcve.org/view.php?id=CVE-2024-7257
02 Aug 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/yayextra/tags/1.3.6/includes/Classes/ProductPage.php#L1413 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 8EXPL: 1CVE-2024-38876 – Siemens Energy Omnivise T3000 8.2 SP3 Privilege Escalation / File Download
https://notcve.org/view.php?id=CVE-2024-38876
02 Aug 2024 — The affected application regularly executes user modifiable code as a privileged user. This could allow a local authenticated attacker to execute arbitrary code with elevated privileges. • https://packetstorm.news/files/id/182667 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 0CVE-2024-36268 – Apache InLong TubeMQ Client: Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-36268
02 Aug 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in Apache InLong. This issue affects Apache InLong: from 1.10.0 through 1.12.0, which could lead to Remote Code Execution. • https://lists.apache.org/thread/1w1yp1bg5sjvn46dszkf00tz1vfs0frc • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39392 – Adobe Indesign 2024 EPS File Parsing Heap Memory Corruption Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-39392
02 Aug 2024 — InDesign Desktop versions ID18.5.2, ID19.3 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/indesign/apsb24-48.html • CWE-122: Heap-based Buffer Overflow •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38882 – Caterease SQL Injection / Command Injection / Bypass
https://notcve.org/view.php?id=CVE-2024-38882
02 Aug 2024 — Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform command line execution through SQL Injection due to improper neutralization of special elements used in an OS command. ... The issues include problems like remote SQL injection, command injection, authentication bypass, hard-coded credentials, and more. • https://packetstormsecurity.com/files/179892/Caterease-Software-SQL-Injection-Command-Injection-Bypass.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 2CVE-2024-33896 – Ewon Cosy+ Command Injection
https://notcve.org/view.php?id=CVE-2024-33896
02 Aug 2024 — Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. ... The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. • https://github.com/codeb0ss/CVE-2024-33896-PoC •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38887 – Caterease SQL Injection / Command Injection / Bypass
https://notcve.org/view.php?id=CVE-2024-38887
02 Aug 2024 — Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to expand control over the operating system from the database due to the execution of commands with unnecessary privileges. ... The issues include problems like remote SQL injection, command injection, authentication bypass, hard-coded credentials, and more. • https://packetstormsecurity.com/files/179892/Caterease-Software-SQL-Injection-Command-Injection-Bypass.html • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-41333 – Tourism Management System 2.0 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-41333
02 Aug 2024 — A reflected cross-site scripting (XSS) vulnerability in Phpgurukul Tourism Management System v2.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted payload into the uname parameter. • https://packetstorm.news/files/id/179891 •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41956 – Soft Serve allows arbitrary code execution by crafting git-lfs requests
https://notcve.org/view.php?id=CVE-2024-41956
01 Aug 2024 — Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. ... This includes environment variables that control program execution, such as LD_PRELOAD. • https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-6873 – Specially crafted request could caused undefined behaviour which may lead to Remote Code Execution.
https://notcve.org/view.php?id=CVE-2024-6873
01 Aug 2024 — It is possible to crash or redirect the execution flow of the ClickHouse server process from an unauthenticated vector by sending a specially crafted request to the ClickHouse server native interface. It is possible to crash or redirect the execution flow of the ClickHouse server process from an unauthenticated vector by sending a specially crafted request to the ClickHouse server native interface. This redirection is limited to what is available within a 256-byte range of memory at the time o... • https://github.com/ClickHouse/ClickHouse/security/advisories/GHSA-432f-r822-j66f • CWE-122: Heap-based Buffer Overflow •