CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47208 – Apache OFBiz: URLs allowing remote use of Groovy expressions, leading to RCE
https://notcve.org/view.php?id=CVE-2024-47208
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13158 https://lists.apache.org/thread/022r19skfofhv3lzql33vowlrvqndh11 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-48962 – Apache OFBiz: Bypass SameSite restrictions with target redirection using URL parameters (SSTI and CSRF leading to RCE)
https://notcve.org/view.php?id=CVE-2024-48962
Improper Control of Generation of Code ('Code Injection'), Cross-Site Request Forgery (CSRF), : Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.17. Users are recommended to upgrade to version 18.12.17, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13162 https://lists.apache.org/thread/6sddh4pts90cp8ktshqb4xykdp6lb6q6 https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11315 – TRCore DVC - Arbitrary File Upload through Path Traversal
https://notcve.org/view.php?id=CVE-2024-11315
This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. • https://www.twcert.org.tw/en/cp-139-8255-0bb1a-2.html https://www.twcert.org.tw/tw/cp-132-8254-8daa2-1.html • CWE-23: Relative Path Traversal CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11314 – TRCore DVC - Arbitrary File Upload through Path Traversal
https://notcve.org/view.php?id=CVE-2024-11314
This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. • https://www.twcert.org.tw/en/cp-139-8253-bc363-2.html https://www.twcert.org.tw/tw/cp-132-8252-91d6a-1.html • CWE-23: Relative Path Traversal CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11313 – TRCore DVC - Arbitrary File Upload through Path Traversal
https://notcve.org/view.php?id=CVE-2024-11313
This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. • https://www.twcert.org.tw/en/cp-139-8251-3455e-2.html https://www.twcert.org.tw/tw/cp-132-8250-1837b-1.html • CWE-23: Relative Path Traversal CWE-434: Unrestricted Upload of File with Dangerous Type •