CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-3408 – Authentication Bypass and RCE in man-group/dtale
https://notcve.org/view.php?id=CVE-2024-3408
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. ... Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. man-group/dtale versión 3.10.0 es vulnerable a una omisión de autenticación y ejecución remota de código (RCE) debido a una validación de entrada incorrecta. • https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5187 – Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx
https://notcve.org/view.php?id=CVE-2024-5187
This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. • https://huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e11237e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-5278 – Unrestricted File Upload leading to RCE in gaizhenbiao/chuanhuchatgpt
https://notcve.org/view.php?id=CVE-2024-5278
This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application. gaizhenbiao/chuanhuchatgpt es afectado por una vulnerabilidad de carga de archivos sin restricciones debido a una validación insuficiente de los tipos de archivos cargados en su endpoint `/upload`. ... Esta vulnerabilidad, presente en la última versión 20240310, podría provocar ataques XSS almacenados y potencialmente provocar la ejecución remota de código (RCE) en el servidor que aloja la aplicación. • https://huntr.com/bounties/ea821d86-941b-40f3-a857-91f758848e05 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-3095 – SSRF in Langchain Web Research Retriever in langchain-ai/langchain
https://notcve.org/view.php?id=CVE-2024-3095
The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. ... This could potentially lead to arbitrary code execution, depending on the nature of the local services. • https://github.com/leoCottret/CVE-2024-30956 https://huntr.com/bounties/e62d4895-2901-405b-9559-38276b6a5273 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 3.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-3166 – Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2024-3166
The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. ... En la aplicación de escritorio, esta falla se puede escalar a ejecución remota de código (RCE) debido a configuraciones inseguras de la aplicación, específicamente la habilitación de 'nodeIntegration' y la deshabilitación de 'contextIsolation' en las preferencias web de Electron. • https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce https://huntr.com/bounties/af288bd3-8824-4216-a294-ae9fb444e5db • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •