CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3551 – Penci Soledad Data Migrator <= 1.3.0 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-3551
This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://github.com/efekaanakkar/CVE-2024-35511 https://themeforest.net/item/soledad-multiconcept-blogmagazine-wp-theme/12945398 https://www.wordfence.com/threat-intel/vulnerabilities/id/a4f8df3a-f247-4365-a9f6-6124065b4883?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-4999 – Ligowave Unity/Pro/Mimo/APC Arbitrary Command Injection
https://notcve.org/view.php?id=CVE-2024-4999
A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary commands with elevated privileges.This issue affects UNITY: through 6.95-2; PRO: through 6.95-1.Rt3883; MIMO: through 6.95-1.Rt2880; APC Propeller: through 2-5.95-4.Rt3352. • https://onekey.com/blog/security-advisory-remote-code-execution-in-ligowave-devices • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-2366 – Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2366
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. ... By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server. • https://huntr.com/bounties/63266c77-408b-45ff-962c-8163db50a864 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-4078 – Arbitrary Code Execution in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-4078
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. ... The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed. • https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 1CVE-2024-3435 – Path Traversal in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-3435
This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities. ... Esto podría conducir a la ejecución remota de código (RCE) al pasar por alto los parches existentes manipulados para mitigar dichas vulnerabilidades. • https://github.com/ymuraki-csc/cve-2024-3435 https://github.com/parisneo/lollms-webui/commit/bb99b59e710d00c4f2598faa5e183fa30fbd3bc2 https://huntr.com/bounties/494f349a-8650-4d30-a0bd-4742fda44ce5 • CWE-29: Path Traversal: '\..\filename' •