CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38715 – WordPress ExS Widgets plugin <= 0.3.1 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-38715
11 Jul 2024 — This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/exs-widgets/wordpress-exs-widgets-plugin-0-3-1-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38736 – WordPress Realtyna Organic IDX plugin <= 4.14.13 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-38736
11 Jul 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in Realtyna Realtyna Organic IDX plugin allows Code Injection.This issue affects Realtyna Organic IDX plugin: from n/a through 4.14.13. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/real-estate-listing-realtyna-wpl/wordpress-realtyna-organic-idx-plugin-4-14-13-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38716 – WordPress Events Calendar for Google plugin <= 2.1.0 - Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-38716
11 Jul 2024 — This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/events-calendar-for-google/wordpress-events-calendar-for-google-plugin-2-1-0-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38734 – WordPress Import Spreadsheets from Microsoft Excel plugin <= 10.1.4 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-38734
11 Jul 2024 — Unrestricted Upload of File with Dangerous Type vulnerability in SpreadsheetConverter Import Spreadsheets from Microsoft Excel allows Code Injection.This issue affects Import Spreadsheets from Microsoft Excel: from n/a through 10.1.4. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/import-spreadsheets-from-microsoft-excel/wordpress-import-spreadsheets-from-microsoft-excel-plugin-10-1-4-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 355EXPL: 0CVE-2024-36435
https://notcve.org/view.php?id=CVE-2024-36435
11 Jul 2024 — An unauthenticated user can post crafted data to the interface that triggers a stack buffer overflow, and may lead to arbitrary remote code execution on a BMC. • https://www.supermicro.com/zh_tw/support/security_BMC_IPMI_Jul_2024 • CWE-121: Stack-based Buffer Overflow •
CVSS: 7.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-26006
https://notcve.org/view.php?id=CVE-2024-26006
11 Jul 2024 — A remote attacker can trick the victim into bookmarking a malicious samba server, then opening the bookmark and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks. •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37149 – GLPI allows remote code execution through the plugin loader
https://notcve.org/view.php?id=CVE-2024-37149
10 Jul 2024 — An authenticated technician user can upload a malicious PHP script and hijack the plugin loader to execute this malicious script. • https://github.com/glpi-project/glpi/security/advisories/GHSA-cwvp-j887-m4xh • CWE-73: External Control of File Name or Path •
CVSS: 10.0EPSS: 96%CPEs: 1EXPL: 2CVE-2024-5910 – Palo Alto Networks Expedition Missing Authentication Vulnerability
https://notcve.org/view.php?id=CVE-2024-5910
10 Jul 2024 — Missing authentication for a critical function in Palo Alto Networks Expedition can lead to an Expedition admin account takeover for attackers with network access to Expedition. Note: Expedition is a tool aiding in configuration migration, tuning, and enrichment. Configuration secrets, credentials, and other data imported into Expedition is at risk due to this issue. La falta de autenticación para una función crítica en Palo Alto Networks Expedition puede provocar que los atacantes con acceso a la red de Ex... • https://packetstorm.news/files/id/182665 • CWE-306: Missing Authentication for Critical Function •
CVSS: 10.0EPSS: 94%CPEs: 1EXPL: 1CVE-2024-5217 – ServiceNow Incomplete List of Disallowed Inputs Vulnerability
https://notcve.org/view.php?id=CVE-2024-5217
10 Jul 2024 — This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ... This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ... An unauthenticated user could exploit this vulnerability to execute code remotely. • https://github.com/NoTsPepino/CVE-2024-4879-CVE-2024-5217-ServiceNow-RCE-Scanning • CWE-184: Incomplete List of Disallowed Inputs •
CVSS: 10.0EPSS: 95%CPEs: 1EXPL: 11CVE-2024-4879 – ServiceNow Improper Input Validation Vulnerability
https://notcve.org/view.php?id=CVE-2024-4879
10 Jul 2024 — This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ... This vulnerability could enable an unauthenticated user to remotely execute code within the context of the Now Platform. ... An unauthenticated user could exploit this vulnerability to execute code remotely. • https://github.com/NoTsPepino/CVE-2024-4879-CVE-2024-5217-ServiceNow-RCE-Scanning • CWE-1287: Improper Validation of Specified Type of Input •