CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-36522 – Apache Wicket: Remote code execution via XSLT injection
https://notcve.org/view.php?id=CVE-2024-36522
12 Jul 2024 — The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue. The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation. • http://www.openwall.com/lists/oss-security/2024/07/12/2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6396 – Arbitrary File Overwrite and Data Exfiltration in aimhubio/aim
https://notcve.org/view.php?id=CVE-2024-6396
12 Jul 2024 — A vulnerability in the `_backup_run` function in aimhubio/aim version 3.19.3 allows remote attackers to overwrite any file on the host server and exfiltrate arbitrary data. ... This can lead to denial of service by overwriting critical system files, loss of private data, and potential remote code execution. • https://huntr.com/bounties/c1b17afd-4656-47bb-8310-686a9e1b04a0 • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40546
https://notcve.org/view.php?id=CVE-2024-40546
12 Jul 2024 — An arbitrary file upload vulnerability in the component /admin/cmsWebFile/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. • https://gitee.com/sanluan/PublicCMS/issues/IAAKYP • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40522
https://notcve.org/view.php?id=CVE-2024-40522
12 Jul 2024 — There is a remote code execution vulnerability in SeaCMS 12.9. ... An authenticated attacker can exploit this vulnerability to execute arbitrary commands and obtain system permissions. • https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20phomebak.php%20code%20injection.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40110
https://notcve.org/view.php?id=CVE-2024-40110
12 Jul 2024 — Sourcecodester Poultry Farm Management System v1.0 contains an Unauthenticated Remote Code Execution (RCE) vulnerability via the productimage parameter at /farm/product.php. Sourcecodester Poultry Farm Management System v1.0 contiene una vulnerabilidad de ejecución remota de código (RCE) no autenticada a través del parámetro productimage en /farm/product.php. • https://github.com/w3bn00b3r/Unauthenticated-Remote-Code-Execution-RCE---Poultry-Farm-Management-System-v1.0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40519
https://notcve.org/view.php?id=CVE-2024-40519
12 Jul 2024 — SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is caused by admin_smtp.php directly splicing and writing the user input data into weixin.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions. • https://gitee.com/fushuling/cve/blob/master/SeaCMS%2012.9%20admin_smtp.php%20code%20injection.md •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40548
https://notcve.org/view.php?id=CVE-2024-40548
12 Jul 2024 — An arbitrary file upload vulnerability in the component /admin/cmsTemplate/save of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. • https://gitee.com/sanluan/PublicCMS/issues/IAALCK • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40545
https://notcve.org/view.php?id=CVE-2024-40545
12 Jul 2024 — An arbitrary file upload vulnerability in the component /admin/cmsWebFile/doUpload of PublicCMS v4.0.202302.e allows attackers to execute arbitrary code via uploading a crafted file. • https://gitee.com/sanluan/PublicCMS/issues/IAAIZD • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-40521
https://notcve.org/view.php?id=CVE-2024-40521
12 Jul 2024 — SeaCMS 12.9 has a remote code execution vulnerability. The vulnerability is due to the fact that although admin_template.php imposes certain restrictions on the edited file, attackers can still bypass the restrictions and write code in some way, allowing authenticated attackers to exploit the vulnerability to execute arbitrary commands and gain system privileges. • https://gitee.com/fushuling/cve/blob/master/%20SeaCMS%2012.9%20admin_template.php%20%20code%20injection.md •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-30213
https://notcve.org/view.php?id=CVE-2024-30213
12 Jul 2024 — StoneFly Storage Concentrator (SC and SCVM) before 8.0.4.26 allows remote authenticated users to achieve Command Injection via a Ping URL, leading to remote code execution. • https://stonefly.com/security-advisories/cve-2024-30213 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •