CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38943
https://notcve.org/view.php?id=CVE-2023-38943
ShuiZe_0x727 v1.0 was discovered to contain a remote command execution (RCE) vulnerability via the component /iniFile/config.ini. • https://github.com/0x727/ShuiZe_0x727 https://github.com/0x727/ShuiZe_0x727/issues/160 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-36095
https://notcve.org/view.php?id=CVE-2023-36095
An issue in Harrison Chase langchain v.0.0.194 allows an attacker to execute arbitrary code via the python exec calls in the PALChain, affected functions include from_math_prompt and from_colored_object_prompt. • http://langchain.com https://github.com/hwchase17/langchain https://github.com/langchain-ai/langchain/issues/5872 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 8EXPL: 0CVE-2023-37470 – Metabase vulnerable to remote code execution via POST /api/setup/validate API endpoint
https://notcve.org/view.php?id=CVE-2023-37470
Metabase is an open-source business intelligence and analytics platform. Prior to versions 0.43.7.3, 0.44.7.3, 0.45.4.3, 0.46.6.4, 1.43.7.3, 1.44.7.3, 1.45.4.3, and 1.46.6.4, a vulnerability could potentially allow remote code execution on one's Metabase server. The core issue is that one of the supported data warehouses (an embedded in-memory database H2), exposes a number of ways for a connection string to include code that is then executed by the process running the embedded database. Because Metabase allows users to connect to databases, this means that a user supplied string can be used to inject executable code. Metabase allows users to validate their connection string before adding a database (including on setup), and this validation API was the primary vector used as it can be called without validation. • https://github.com/metabase/metabase/security/advisories/GHSA-p7w3-9m58-rq83 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-0118 – Foreman: arbitrary code execution through templates
https://notcve.org/view.php?id=CVE-2023-0118
An arbitrary code execution flaw was found in Foreman. • https://access.redhat.com/errata/RHSA-2023:4466 https://access.redhat.com/errata/RHSA-2023:5979 https://access.redhat.com/errata/RHSA-2023:5980 https://access.redhat.com/errata/RHSA-2023:6818 https://access.redhat.com/security/cve/CVE-2023-0118 https://bugzilla.redhat.com/show_bug.cgi?id=2159291 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-32358 – Apple Safari PDF Plugin Type Confusion Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-32358
Processing web content may lead to arbitrary code execution. • https://support.apple.com/en-us/HT213670 https://support.apple.com/en-us/HT213676 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •