CVE-2024-6100
https://notcve.org/view.php?id=CVE-2024-6100
Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. • https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html https://issues.chromium.org/issues/344608204 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6HYUEHZ35ZPY2EONVZCGO6LPT3AMLZCP https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5NRNCEYS246CYGOR32MF7OGKWOWER22 • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVE-2024-36116 – Path traversal in Reposilite javadoc file expansion
https://notcve.org/view.php?id=CVE-2024-36116
This could lead to remote code execution, for example by placing a new plugin into the '$workspace$/plugins' directory. • https://github.com/dzikoysk/reposilite/commit/848173738e4375482c70365db5cebae29f125eaa https://github.com/dzikoysk/reposilite/releases/tag/3.5.12 https://github.com/dzikoysk/reposilite/security/advisories/GHSA-frvj-cfq4-3228 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-36115 – Stored Cross site scripting in Reposilite artifacts
https://notcve.org/view.php?id=CVE-2024-36115
In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite. • https://github.com/dzikoysk/reposilite/commit/279a472015ec675c1da449d902dc82e4dd578484 https://github.com/dzikoysk/reposilite/commit/d11609f427aba255e0f6f54b1105d5d20ab043cf https://github.com/dzikoysk/reposilite/releases/tag/3.5.12 https://github.com/dzikoysk/reposilite/security/advisories/GHSA-9w8w-34vr-65j2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-32030 – Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI
https://notcve.org/view.php?id=CVE-2024-32030
In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. ... In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. • https://github.com/huseyinstif/CVE-2024-32030-Nuclei-Template https://github.com/provectus/kafka-ui/commit/83b5a60cc08501b570a0c4d0b4cdfceb1b88d6b7#diff-37e769f4709c1e78c076a5949bbcead74e969725bfd89c7c4ba6d6f229a411e6R36 https://github.com/provectus/kafka-ui/pull/4427 https://securitylab.github.com/advisories/GHSL-2023-229_GHSL-2023-230_kafka-ui • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVE-2024-35781 – WordPress Word Balloon plugin <= 4.21.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-35781
This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/word-balloon/wordpress-word-balloon-plugin-4-21-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •