CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5455 – The Plus Addons for Elementor – Elementor Addons, Page Templates, Widgets, Mega Menu, WooCommerce <= 5.5.6 - Authenticated (Contributor+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-5455
20 Jun 2024 — This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://roadmap.theplusaddons.com/updates • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 3CVE-2024-28397 – Pyload Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-28397
20 Jun 2024 — An issue in the component js2py.disable_pyimport() of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call. ... CVE-2024-28397 is a sandbox escape in js2py versions 0.74 and below. js2py is a popular python package that can evaluate javascript code inside a python interpreter. The vulnerability allows for an attacker to obtain a reference to a python object in the js2py environment enabling them to escape the sandbox, bypass pyimport restrictions an... • https://packetstorm.news/files/id/182692 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6100 – Debian Security Advisory 5716-1
https://notcve.org/view.php?id=CVE-2024-6100
19 Jun 2024 — Type Confusion in V8 in Google Chrome prior to 126.0.6478.114 allowed a remote attacker to execute arbitrary code via a crafted HTML page. ... (Severidad de seguridad de Chrome: alta) Security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure. • https://chromereleases.googleblog.com/2024/06/stable-channel-update-for-desktop_18.html • CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36116 – Path traversal in Reposilite javadoc file expansion
https://notcve.org/view.php?id=CVE-2024-36116
19 Jun 2024 — This could lead to remote code execution, for example by placing a new plugin into the '$workspace$/plugins' directory. • https://github.com/dzikoysk/reposilite/commit/848173738e4375482c70365db5cebae29f125eaa • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36115 – Stored Cross site scripting in Reposilite artifacts
https://notcve.org/view.php?id=CVE-2024-36115
19 Jun 2024 — In the worst case scenario, an attacker would be able to obtain the Remote code execution on all systems that use artifacts from Reposilite. • https://github.com/dzikoysk/reposilite/commit/279a472015ec675c1da449d902dc82e4dd578484 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-32030 – Remote code execution via JNDI resolution in JMX metrics collection in Kafka UI
https://notcve.org/view.php?id=CVE-2024-32030
19 Jun 2024 — In this scenario the attacker can exploit this vulnerability to expand their access and execute code on Kafka UI as well. ... In the worst case it could lead to remote code execution as Kafka UI has the required gadget chains in its classpath. This issue may lead to post-auth remote code execution. • https://github.com/huseyinstif/CVE-2024-32030-Nuclei-Template • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-38617 – kunit/fortify: Fix mismatched kvalloc()/vfree() usage
https://notcve.org/view.php?id=CVE-2024-38617
19 Jun 2024 — A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. • https://git.kernel.org/stable/c/9124a26401483bf2b13a99cb4317dce3f677060f •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-38614 – openrisc: traps: Don't send signals to kernel mode threads
https://notcve.org/view.php?id=CVE-2024-38614
19 Jun 2024 — This patch adds conditions to die if the kernel receives these exceptions in kernel mode code. ... This patch adds conditions to die if the kernel receives these exceptions in kernel mode code. ... A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. • https://git.kernel.org/stable/c/27267655c5313ba0f5a3caa9ad35d887d9a12574 •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38613 – m68k: Fix spinlock race in kernel thread creation
https://notcve.org/view.php?id=CVE-2024-38613
19 Jun 2024 — A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. • https://git.kernel.org/stable/c/533e6903bea0440816a0f517b0845ccea4cc7917 •
CVSS: 9.8EPSS: 0%CPEs: 9EXPL: 0CVE-2024-38612 – ipv6: sr: fix invalid unregister error path
https://notcve.org/view.php?id=CVE-2024-38612
19 Jun 2024 — A local attacker in control of the hypervisor could use this to expose sensitive information or possibly execute arbitrary code in the trusted execution environment. • https://git.kernel.org/stable/c/46738b1317e169b281ad74690276916e24d1be6d • CWE-416: Use After Free CWE-476: NULL Pointer Dereference •