CVE-2024-45507 – Apache OFBiz: Prevent use of URLs in files when loading them from Java or Groovy, leading to a RCE
https://notcve.org/view.php?id=CVE-2024-45507
Server-Side Request Forgery (SSRF), Improper Control of Generation of Code ('Code Injection') vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.16. Users are recommended to upgrade to version 18.12.16, which fixes the issue. • https://issues.apache.org/jira/browse/OFBIZ-13132 https://lists.apache.org/thread/o90dd9lbk1hh3t2557t2y2qvrh92p7wy https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2024-7627 – Bit File Manager 6.0 - 6.5.5 - Unauthenticated Remote Code Execution via Race Condition
https://notcve.org/view.php?id=CVE-2024-7627
The Bit File Manager plugin for WordPress is vulnerable to Remote Code Execution in versions 6.0 to 6.5.5 via the 'checkSyntax' function. This is due to writing a temporary file to a publicly accessible directory before performing file validation. This makes it possible for unauthenticated attackers to execute code on the server if an administrator has allowed Guest User read permissions. • https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L39 https://plugins.trac.wordpress.org/browser/file-manager/trunk/backend/app/Providers/FileEditValidator.php#L88 https://plugins.trac.wordpress.org/changeset/3138710 https://www.wordfence.com/threat-intel/vulnerabilities/id/5f29de7a-3f15-4b6d-aad7-6a08151e2113?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-45390 – @blakeembrey/template vulnerable to code injection when attacker controls template input
https://notcve.org/view.php?id=CVE-2024-45390
@blakeembrey/template is a string template library. Prior to version 1.2.0, it is possible to inject and run code within the template if the attacker has access to write the template name. Version 1.2.0 contains a patch. As a workaround, don't pass untrusted input as the template display name, or don't use the display name feature. • https://github.com/blakeembrey/js-template/commit/b8d9aa999e464816c6cfb14acd1ad0f5d1e335aa https://github.com/blakeembrey/js-template/security/advisories/GHSA-q765-wm9j-66qj • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-7345 – Direct local client connections to MS Agents can bypass authentication
https://notcve.org/view.php?id=CVE-2024-7345
Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms • https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-8374 – Arbitrary Code Injection in Cura
https://notcve.org/view.php?id=CVE-2024-8374
UltiMaker Cura slicer versions 5.7.0-beta.1 through 5.7.2 are vulnerable to code injection via the 3MF format reader (/plugins/ThreeMFReader.py). • https://github.com/Ultimaker/Cura/commit/285a241eb28da3188c977f85d68937c0dad79c50 • CWE-94: Improper Control of Generation of Code ('Code Injection') •