CVE-2023-30990 – IBM i command execution
https://notcve.org/view.php?id=CVE-2023-30990
IBM i 7.2, 7.3, 7.4, and 7.5 could allow a remote attacker to execute CL commands as QUSER, caused by an exploitation of DDM architecture. IBM X-Force ID: 254036. • https://exchange.xforce.ibmcloud.com/vulnerabilities/254036 https://www.ibm.com/support/pages/node/7008573 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-26299
https://notcve.org/view.php?id=CVE-2023-26299
A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS), which might allow arbitrary code execution. • https://support.hp.com/us-en/document/ish_8642715-8642746-16/hpsbhf03850 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVE-2023-29145
https://notcve.org/view.php?id=CVE-2023-29145
The Malwarebytes EDR 1.0.11 for Linux driver doesn't properly ensure whitelisting of executable libraries loaded by executable files, allowing arbitrary code execution. • https://malwarebytes.com https://www.malwarebytes.com/secure/cves/cve-2023-29145 •
CVE-2023-36469 – Code injection through NotificationRSSService in XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36469
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user who can edit their own user profile and notification settings can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. This has been patched in XWiki 14.10.6 and 15.2RC1. Users are advised to update. As a workaround the main security fix can be manually applied by patching the affected document `XWiki.Notifications.Code.NotificationRSSService`. • https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c#diff-7221a548809fa2ba34348556f4b5bd436463c559ebdf691197932ee7ce4478ca https://github.com/xwiki/xwiki-platform/commit/217e5bb7a657f2991b154a16ef4d5ae9c29ad39c#diff-b261c6eac3108c3e6e734054c28a78f59d3439ab72fe8582dadf87670a0d15a4 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-94pf-92hw-2hjc https://jira.xwiki.org/browse/XWIKI-20610 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2023-36470 – Code injection in icon themes of XWiki Platform
https://notcve.org/view.php?id=CVE-2023-36470
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By either creating a new or editing an existing document with an icon set, an attacker can inject XWiki syntax and Velocity code that is executed with programming rights and thus allows remote code execution. There are different attack vectors, the simplest is the Velocity code in the icon set's HTML or XWiki syntax definition. The [icon picker](https://extensions.xwiki.org/xwiki/bin/view/Extension/Icon%20Theme%20Application#HIconPicker) can be used to trigger the rendering of any icon set. The XWiki syntax variant of the icon set is also used without any escaping in some documents, allowing to inject XWiki syntax including script macros into a document that might have programming right, for this the currently used icon theme needs to be edited. • https://github.com/xwiki/xwiki-platform/commit/46b542854978e9caa687a5c2b8817b8b17877d94 https://github.com/xwiki/xwiki-platform/commit/79418dd92ca11941b46987ef881bf50424898ff4 https://github.com/xwiki/xwiki-platform/commit/b0cdfd893912baaa053d106a92e39fa1858843c7 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-fm68-j7ww-h9xf https://jira.xwiki.org/browse/XWIKI-20524 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •