CVE-2024-7954 – SPIP porte_plume Plugin Arbitrary PHP Execution
https://notcve.org/view.php?id=CVE-2024-7954
The porte_plume plugin used by SPIP before 4.30-alpha2, 4.2.13, and 4.1.16 is vulnerable to an arbitrary code execution vulnerability. • https://github.com/Chocapikk/CVE-2024-7954 https://github.com/bigb0x/CVE-2024-7954 https://github.com/fa-rrel/CVE-2024-7954-RCE https://github.com/MuhammadWaseem29/RCE-CVE-2024-7954 https://vulncheck.com/advisories/spip-porte-plume https://blog.spip.net/Mise-a-jour-critique-de-securite-sortie-de-SPIP-4-3-0-alpha2-SPIP-4-2-13-SPIP-4.html https://thinkloveshare.com/hacking/spip_preauth_rce_2024_part_1_the_feather • CWE-284: Improper Access Control •
CVE-2024-5466 – Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-5466
Zohocorp ManageEngine OpManager and Remote Monitoring and Management versions 128329 and below are vulnerable to the authenticated remote code execution in the deploy agent option. • https://www.manageengine.com/itom/advisory/cve-2024-5466.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-7656 – Image Hotspot by DevVN <= 1.2.5 - Authenticated (Author+) PHP Object Injection
https://notcve.org/view.php?id=CVE-2024-7656
The Image Hotspot by DevVN plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.2.5 via deserialization of untrusted input in the 'devvn_ihotspot_shortcode_func' function. This makes it possible for authenticated attackers, with Author-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://www.wordfence.com/threat-intel/vulnerabilities/id/624bdb9e-6c50-4a00-9a04-1a32c938d48b?source=cve https://plugins.trac.wordpress.org/browser/devvn-image-hotspot/trunk/admin/inc/add_shortcode_devvn_ihotspot.php#L16 https://plugins.trac.wordpress.org/changeset/3139899 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-42756
https://notcve.org/view.php?id=CVE-2024-42756
An issue in Netgear DGN1000WW v.1.1.00.45 allows a remote attacker to execute arbitrary code via the Diagnostics page • https://github.com/Nop3z/CVE/blob/main/Netgear/Netgear%20DGN1000%20RCE/Netgear%20DGN1000%20RCE.md https://www.netgear.com/about/security • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-42845 – Invesalius 3.1 Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-42845
An eval Injection vulnerability in the component invesalius/reader/dicom.py of InVesalius 3.1.99991 through 3.1.99998 allows attackers to execute arbitrary code via loading a crafted DICOM file. • https://github.com/invesalius/invesalius3 https://github.com/invesalius/invesalius3/releases https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845 • CWE-94: Improper Control of Generation of Code ('Code Injection') •