CVE-2023-41005
https://notcve.org/view.php?id=CVE-2023-41005
An issue in Pagekit pagekit v.1.0.18 alows a remote attacker to execute arbitrary code via thedownloadAction and updateAction functions in UpdateController.php Un problema en Pagekit v1.0.18 permite a un atacante remoto ejecutar código arbitrario a través de las funciones "thedownloadAction" y "updateAction" en "UpdateController.php". • https://github.com/pagekit/pagekit/issues/977 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-39059
https://notcve.org/view.php?id=CVE-2023-39059
An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter. • https://gist.github.com/Alevsk/1757da24c5fb8db735d392fd4146ca3a https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-4521 – Import XML and RSS Feeds < 2.1.5 - Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2023-4521
The Import XML and RSS Feeds WordPress plugin before 2.1.5 contains a web shell, allowing unauthenticated attackers to perform RCE. The plugin/vendor was not compromised and the files are the result of running a PoC for a previously reported issue (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) and not deleting the created files when releasing the new version. El complemento de WordPress Import XML and RSS Feeds anterior a 2.1.5 contiene un shell web que permite a atacantes no autenticados realizar RCE. El complemento/proveedor no se vio comprometido y los archivos son el resultado de ejecutar una PoC para un problema informado anteriormente (https://wpscan.com/vulnerability/d4220025-2272-4d5f-9703-4b2ac4a51c42) y no eliminar los archivos creados cuando lanzando la nueva versión. The Import XML and RSS Feeds for WordPress is vulnerable to remote code execution in versions up to, and including, 2.1.4. • https://wpscan.com/vulnerability/de2cdb38-3a9f-448e-b564-a798d1e93481 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-40031 – Notepad++ vulnerable to heap buffer write overflow in Utf8_16_Read::convert
https://notcve.org/view.php?id=CVE-2023-40031
This issue may lead to arbitrary code execution. • https://github.com/webraybtl/CVE-2023-40031 https://securitylab.github.com/advisories/GHSL-2023-092_Notepad__ • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122: Heap-based Buffer Overflow •
CVE-2023-40030 – Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports
https://notcve.org/view.php?id=CVE-2023-40030
Please note that even with these vulnerabilities fixed, by design Cargo allows arbitrary code execution at build time thanks to build scripts and procedural macros: a malicious dependency will be able to cause damage regardless of these vulnerabilities. crates.io has server-side checks preventing this attack, and there are no packages on crates.io exploiting these vulnerabilities. crates.io users still need to excercise care in choosing their dependencies though, as remote code execution is allowed by design there as well. • https://github.com/rust-lang/cargo/commit/9835622853f08be9a4b58ebe29dcec8f43b64b33 https://github.com/rust-lang/cargo/commit/f975722a0eac934c0722f111f107c4ea2f5c4365 https://github.com/rust-lang/cargo/pull/12291 https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •