CVE-2024-37288
https://notcve.org/view.php?id=CVE-2024-37288
A deserialization issue in Kibana can lead to arbitrary code execution when Kibana attempts to parse a YAML document containing a crafted payload. • https://discuss.elastic.co/t/kibana-8-15-1-security-update-esa-2024-27-esa-2024-28/366119 • CWE-502: Deserialization of Untrusted Data •
CVE-2024-8268 – Frontend Dashboard <= 2.2.4 - Authenticated (Subscriber+) Arbitrary Function Call
https://notcve.org/view.php?id=CVE-2024-8268
The Frontend Dashboard plugin for WordPress is vulnerable to unauthorized code execution due to insufficient filtering on callable methods/functions via the ajax_request() function in all versions up to, and including, 2.2.4. • https://plugins.trac.wordpress.org/browser/frontend-dashboard/tags/2.2.4/route/class-fed-request.php#L29 https://plugins.trac.wordpress.org/changeset/3147868/frontend-dashboard/tags/2.2.5/route/class-fed-request.php?old=3048034&old_path=frontend-dashboard%2Ftags%2F2.2.4%2Froute%2Fclass-fed-request.php https://www.wordfence.com/threat-intel/vulnerabilities/id/7d66694a-c99f-44f8-8004-1a47ad9f9250?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-8478 – Affiliate Super Assistent <= 1.5.3 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-8478
The The Affiliate Super Assistent plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.5.3. This is due to the software allowing users to supply arbitrary shortcodes in comments when the 'Parse comments' option is enabled. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/browser/amazonsimpleadmin/trunk/AsaCore.php#L285 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3147740%40amazonsimpleadmin&new=3147740%40amazonsimpleadmin&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/7f50769c-77b8-42ff-b67d-b9b289fc51da?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-44411
https://notcve.org/view.php?id=CVE-2024-44411
D-Link DI-8300 v16.07.26A1 is vulnerable to command injection via the msp_info_htm function. • https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DI-8300A1/CVE-2024-44411 https://github.com/LYaoBoL/IOTsec/blob/main/D-Link/DI-8300A1/DI-8300A1-2.md https://www.dlink.com/en/security-bulletin • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-44724
https://notcve.org/view.php?id=CVE-2024-44724
AutoCMS v5.4 was discovered to contain a PHP code injection vulnerability via the txtsite_url parameter at /admin/site_add.php. • https://github.com/Hebing123/cve/issues/68 • CWE-94: Improper Control of Generation of Code ('Code Injection') •