CVE-2024-4748 – RCE in Cruddiy
https://notcve.org/view.php?id=CVE-2024-4748
The CRUDDIY project is vulnerable to shell command injection via sending a crafted POST request to the application server. The exploitation risk is limited since CRUDDIY is meant to be launched locally. Nevertheless, a user with the project running on their computer might visit a website which would send such a malicious request to the locally launched server. El proyecto CRUDDIY es vulnerable a la inyección de comandos de shell mediante el envío de una solicitud POST manipulada al servidor de aplicaciones. El riesgo de explotación es limitado ya que CRUDDIY debe lanzarse localmente. Sin embargo, un usuario con el proyecto ejecutándose en su computadora podría visitar un sitio web que enviaría una solicitud maliciosa al servidor iniciado localmente. • https://cert.pl/en/posts/2024/06/CVE-2024-4748 https://cert.pl/posts/2024/06/CVE-2024-4748 https://github.com/jan-vandenberg/cruddiy/issues/67 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-5683 – Remote Code Execution in Next4Biz's BPM
https://notcve.org/view.php?id=CVE-2024-5683
Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. • https://www.usom.gov.tr/bildirim/tr-24-0739 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-24551 – Bludit - Remote Code Execution (RCE) through Image API
https://notcve.org/view.php?id=CVE-2024-24551
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. • https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVE-2024-24550 – Bludit - Remote Code Execution (RCE) through File API
https://notcve.org/view.php?id=CVE-2024-24550
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. • https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVE-2024-3121 – Remote Code Execution in create_conda_env function in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-3121
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. • https://github.com/Abo5/CVE-2024-31210 https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b • CWE-94: Improper Control of Generation of Code ('Code Injection') •