CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-27866 – IBM Informix JDBC code execution
https://notcve.org/view.php?id=CVE-2023-27866
IBM Informix JDBC Driver 4.10 and 4.50 is susceptible to remote code execution attack via JNDI injection when driver code or the application using the driver do not verify supplied LDAP URL in Connect String. IBM X-Force ID: 249511. • https://exchange.xforce.ibmcloud.com/vulnerabilities/249511 https://www.ibm.com/support/pages/node/7007615 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-36467 – AWS data.all vulnerable to RCE through user injection of Python Commands
https://notcve.org/view.php?id=CVE-2023-36467
AWS data.all is an open source development framework to help users build a data marketplace on Amazon Web Services. data.all versions 1.2.0 through 1.5.1 do not prevent remote code execution when a user injects Python commands into the ‘Template’ field when configuring a data pipeline. The issue can only be triggered by authenticated users. A fix for this issue is available in data.all version 1.5.2 and later. There is no recommended work around. • https://github.com/awslabs/aws-dataall/pull/472 https://github.com/awslabs/aws-dataall/releases/tag/v1.5.2 https://github.com/awslabs/aws-dataall/releases/tag/v1.5.4 https://github.com/awslabs/aws-dataall/security/advisories/GHSA-m922-chh7-8qcr • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-3393 – Code Injection in fossbilling/fossbilling
https://notcve.org/view.php?id=CVE-2023-3393
Code Injection in GitHub repository fossbilling/fossbilling prior to 0.5.1. • https://github.com/fossbilling/fossbilling/commit/47343fb58db5c17c14bc6941dacbeb9c96957351 https://huntr.dev/bounties/e4df9280-900a-407a-a07e-e7fef3345914 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 5EXPL: 0CVE-2023-35152 – XWiki Platform vulnerable to privilege escalation (PR) from account through like LiveTableResults
https://notcve.org/view.php?id=CVE-2023-35152
XWiki Platform is a generic wiki platform. Starting in version 12.9-rc-1 and prior to versions 14.4.8, 14.10.6, and 15.1, any logged in user can add dangerous content in their first name field and see it executed with programming rights. Leading to rights escalation. The vulnerability has been fixed on XWiki 14.4.8, 14.10.6, and 15.1. As a workaround, one may apply the patch manually. • https://github.com/xwiki/xwiki-platform/commit/0993a7ab3c102f9ac37ffe361a83a3dc302c0e45#diff-0b51114cb27f7a5c599cf40c59d658eae6ddc5c0836532c3b35e163f40a4854fR39 https://github.com/xwiki/xwiki-platform/commit/6ce2d04a5779e07f6d3ed3f37d4761049b4fc3ac#diff-ef7f8b911bb8e584fda22aac5876a329add35ca0d1d32e0fdb62a439b78cfa49 https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-rf8j-q39g-7xfm https://jira.xwiki.org/browse/XWIKI-19900 https://jira.xwiki.org/browse/XWIKI-20611 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 1CVE-2023-35150 – XWiki Platform vulnerable to privilege escalation (PR) from view right via Invitation application
https://notcve.org/view.php?id=CVE-2023-35150
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 2.40m-2 and prior to versions 14.4.8, 14.10.4, and 15.0, any user with view rights on any document can execute code with programming rights, leading to remote code execution by crafting an url with a dangerous payload. The problem has been patched in XWiki 15.0, 14.10.4 and 14.4.8. • https://github.com/xwiki/xwiki-platform/commit/b65220a4d86b8888791c3b643074ebca5c089a3a https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-6mf5-36v9-3h2w https://jira.xwiki.org/browse/XWIKI-20285 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •