CVE-2024-47131 – Delta Electronics DIAScreen Stack-based Buffer Overflow
https://notcve.org/view.php?id=CVE-2024-47131
If an attacker tricks a valid user into running Delta Electronics DIAScreen with a file containing malicious code, a stack-based buffer overflow in BACnetObjectInfo can be exploited, allowing the attacker to remotely execute arbitrary code. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Delta Electronics DIAScreen. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-312-02 https://www.deltaww.com/en-US/Cybersecurity_Advisory • CWE-121: Stack-based Buffer Overflow •
CVE-2024-10640 – The FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-10640
The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3183018%40woocommerce-currency-switcher&old=3178647%40woocommerce-currency-switcher&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb0dffa-02a2-4193-b2c4-4774091eacfa?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-10626 – WooCommerce Support Ticket System <= 17.7 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-10626
The WooCommerce Support Ticket System plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the delete_uploaded_file() function in all versions up to, and including, 17.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 https://www.wordfence.com/threat-intel/vulnerabilities/id/eeb2c829-579f-41e2-ad5f-8e4fc125d980? • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-51152
https://notcve.org/view.php?id=CVE-2024-51152
File Upload vulnerability in Laravel CMS v.1.4.7 and before allows a remote attacker to execute arbitrary code via the shell.php a component. • https://co-a1natas.feishu.cn/docx/GuYjd2lDEoxNhVxPa9Yc1akknee • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-51055
https://notcve.org/view.php?id=CVE-2024-51055
An issue Hoosk v1.7.1 allows a remote attacker to execute arbitrary code via a crafted script to the config.php component. • https://github.com/havok89/Hoosk/issues/66 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •