CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39714
https://notcve.org/view.php?id=CVE-2024-39714
A code injection vulnerability that permits a low-privileged user to upload arbitrary files to the server, leading to remote code execution on VSPC server. • https://www.veeam.com/kb4649 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-40710
https://notcve.org/view.php?id=CVE-2024-40710
A series of related high-severity vulnerabilities, the most notable enabling remote code execution (RCE) as the service account and extraction of sensitive information (savedcredentials and passwords). • https://www.veeam.com/kb4649 • CWE-522: Insufficiently Protected Credentials •
CVSS: 9.8EPSS: 66%CPEs: 3EXPL: 4CVE-2024-8517 – SPIP Bigup Multipart File Upload OS Command Injection
https://notcve.org/view.php?id=CVE-2024-8517
SPIP before 4.3.2, 4.2.16, and 4.1.18 is vulnerable to a command injection issue. A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request. • https://github.com/Chocapikk/CVE-2024-8517 https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_2_a_big_upload https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-2-SPIP-4-2-16-SPIP-4-1-18.html https://vulncheck.com/advisories/spip-upload-rce https://vozec.fr/researchs/spip-preauth-rce-2024-big-upload https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spip_bigup_unauth_rce.rb • CWE-646: Reliance on File Name or Extension of Externally-Supplied File •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-45758
https://notcve.org/view.php?id=CVE-2024-45758
H2O.ai H2O through 3.46.0.4 allows attackers to arbitrarily set the JDBC URL, leading to deserialization attacks, file reads, and command execution. • https://spear-shield.notion.site/Unauthenticated-Remote-Code-Execution-via-Unrestricted-JDBC-Connection-87a958a4874044199cbb86422d1f6068 https://gist.github.com/AfterSnows/c24ca3c26dc89ab797e610e92a6a9acb • CWE-502: Deserialization of Untrusted Data •
CVSS: 6.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7620 – Customizer Export/Import <= 0.9.7 - Authenticated (Admin+) Arbitrary File Upload via Customization Settings Import
https://notcve.org/view.php?id=CVE-2024-7620
This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/changeset/3144365/customizer-export-import https://www.wordfence.com/threat-intel/vulnerabilities/id/7600e7df-725d-4877-b0bf-5329f814723f?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •