CVE-2024-28397
https://notcve.org/view.php?id=CVE-2024-28397
An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call. Un problema en el componente js2py.disable_pyimport() de js2py hasta v0.74 permite a atacantes ejecutar código arbitrario a través de una llamada API manipulada. • https://github.com/Marven11/CVE-2024-28397-js2py-Sandbox-Escape https://github.com/CYBER-WARRIOR-SEC/CVE-2024-28397-js2py-Sandbox-Escape https://github.com/Marven11 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-5691 – Mozilla: Sandboxed iframes were able to bypass sandbox restrictions to open a new window
https://notcve.org/view.php?id=CVE-2024-5691
By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. ... The Mozilla Foundation Security Advisory describes this flaw as: By tricking the browser with a `X-Frame-Options` header, a sandboxed iframe could have presented a button that, if clicked by a user, would bypass restrictions to open a new window. • https://bugzilla.mozilla.org/show_bug.cgi?id=1888695 https://lists.debian.org/debian-lts-announce/2024/06/msg00000.html https://lists.debian.org/debian-lts-announce/2024/06/msg00010.html https://www.mozilla.org/security/advisories/mfsa2024-25 https://www.mozilla.org/security/advisories/mfsa2024-26 https://www.mozilla.org/security/advisories/mfsa2024-28 https://access.redhat.com/security/cve/CVE-2024-5691 https://bugzilla.redhat.com/show_bug.cgi?id=2291397 • CWE-284: Improper Access Control •
CVE-2024-29510 – Ghostscript Command Execution via Format String
https://notcve.org/view.php?id=CVE-2024-29510
Artifex Ghostscript before 10.03.1 allows memory corruption, and SAFER sandbox bypass, via format string injection with a uniprint device. Artifex Ghostscript anterior a 10.03.1 permite la corrupción de la memoria y una omisión MÁS SEGURA de la sandbox mediante la inyección de cadena de formato con un dispositivo uniprint. • https://github.com/swsmith2391/CVE-2024-29510 https://bugs.ghostscript.com/show_bug.cgi?id=707662 https://codeanlabs.com/blog/research/cve-2024-29510-ghostscript-format-string-exploitation https://www.openwall.com/lists/oss-security/2024/07/03/7 https://access.redhat.com/security/cve/CVE-2024-29510 https://bugzilla.redhat.com/show_bug.cgi?id=2293950 https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/fileformat/ghostscript_format_string_cve_2024_29510.rb • CWE-20: Improper Input Validation CWE-693: Protection Mechanism Failure •
CVE-2024-34098 – ZDI-CAN-XXXX: [Pwn2Own] Acrobat sandbox bypass part 1 of 2
https://notcve.org/view.php?id=CVE-2024-34098
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. • https://helpx.adobe.com/security/products/acrobat/apsb24-29.html • CWE-20: Improper Input Validation •
CVE-2024-34099 – ZDI-CAN-XXXX: [Pwn2Own] Acrobat sandbox bypass part 2 of 2
https://notcve.org/view.php?id=CVE-2024-34099
Acrobat Reader versions 20.005.30574, 24.002.20736 and earlier are affected by an Improper Access Control vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. • https://helpx.adobe.com/security/products/acrobat/apsb24-29.html • CWE-284: Improper Access Control •