CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-2359 – Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2359
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. ... By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. • https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f7bc67e • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-2360 – Path Traversal leading to Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2360
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings to execute arbitrary code on the targeted server. • https://huntr.com/bounties/65d0ef59-a761-4bbd-86fa-dd8e8621082e • CWE-29: Path Traversal: '\..\filename' •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-3408 – Authentication Bypass and RCE in man-group/dtale
https://notcve.org/view.php?id=CVE-2024-3408
man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. ... Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authentication mechanisms and execute remote code on the server. man-group/dtale versión 3.10.0 es vulnerable a una omisión de autenticación y ejecución remota de código (RCE) debido a una validación de entrada incorrecta. • https://huntr.com/bounties/57a06666-ff85-4577-af19-f3dfb7b02f91 • CWE-20: Improper Input Validation •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5187 – Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx
https://notcve.org/view.php?id=CVE-2024-5187
This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. • https://huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e11237e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-5278 – Unrestricted File Upload leading to RCE in gaizhenbiao/chuanhuchatgpt
https://notcve.org/view.php?id=CVE-2024-5278
This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application. gaizhenbiao/chuanhuchatgpt es afectado por una vulnerabilidad de carga de archivos sin restricciones debido a una validación insuficiente de los tipos de archivos cargados en su endpoint `/upload`. ... Esta vulnerabilidad, presente en la última versión 20240310, podría provocar ataques XSS almacenados y potencialmente provocar la ejecución remota de código (RCE) en el servidor que aloja la aplicación. • https://huntr.com/bounties/ea821d86-941b-40f3-a857-91f758848e05 • CWE-434: Unrestricted Upload of File with Dangerous Type •