CVSS: 4.6EPSS: 0%CPEs: -EXPL: 0CVE-2023-32157 – Tesla Model 3 bsa_server BIP Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2023-32157
Tesla Model 3 bsa_server BIP Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability. ... Tesla Model 3 bsa_server BIP Heap-based Buffer Overflow Arbitrary Code Execution Vulnerability. • https://www.zerodayinitiative.com/advisories/ZDI-23-973 • CWE-122: Heap-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37476 – Zip slip in OpenRefine
https://notcve.org/view.php?id=CVE-2023-37476
A carefully crafted malicious OpenRefine project tar file can be used to trigger arbitrary code execution in the context of the OpenRefine process if a user can be convinced to import it. • https://github.com/OpenRefine/OpenRefine/commit/e9c1e65d58b47aec8cd676bd5c07d97b002f205e https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-m88m-crr9-jvqq • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 1%CPEs: 8EXPL: 0CVE-2021-37384
https://notcve.org/view.php?id=CVE-2021-37384
RCE (Remote Code Execution) vulnerability was found in some Furukawa ONU models, this vulnerability allows remote unauthenticated users to send arbitrary commands to the device via web interface. • https://cwe.mitre.org/data/definitions/94.html https://gist.githubusercontent.com/LuigiPolidorio/9fe61cf2edee63152161ffc52c39f6cd/raw/529cf49103e0fdf4eeb970fa1f62fa508ebe7c3c/reference.txt https://owasp.org/www-community/attacks/Code_Injection https://www.softwall.com.br/cves/publicacao-rce-html-injection-furukawa • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-37466 – vm2 Sandbox Escape vulnerability
https://notcve.org/view.php?id=CVE-2023-37466
vm2 is an advanced vm/sandbox for Node.js. The library contains critical security issues and should not be used for production. The maintenance of the project has been discontinued. In vm2 for versions up to 3.9.19, `Promise` handler sanitization can be bypassed with the `@@species` accessor property allowing attackers to escape the sandbox and run arbitrary code, potentially allowing remote code execution inside the context of vm2 sandbox. vm2 es una máquina virtual/sandbox avanzada para Node.js. La librería contiene problemas de seguridad críticos y no debe usarse para producción. • https://github.com/patriksimek/vm2/security/advisories/GHSA-cchq-frgv-rjh5 https://access.redhat.com/security/cve/CVE-2023-37466 https://bugzilla.redhat.com/show_bug.cgi?id=2232376 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-37274 – Python code execution sandbox escape in non-docker version in Auto-GPT
https://notcve.org/view.php?id=CVE-2023-37274
This can further be abused to achieve arbitrary code execution on the host running Auto-GPT by e.g. overwriting autogpt/main.py which will be executed outside of the docker environment meant to sandbox custom python code execution the next time Auto-GPT is started. • https://github.com/Significant-Gravitas/Auto-GPT/pull/4756 https://github.com/Significant-Gravitas/Auto-GPT/security/advisories/GHSA-5h38-mgp9-rj5f • CWE-94: Improper Control of Generation of Code ('Code Injection') •