CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48168
https://notcve.org/view.php?id=CVE-2024-48168
A stack overflow vulnerability exists in the sub_402280 function of the HNAP service of D-Link DCS-960L 1.09, allowing an attacker to execute arbitrary code. • https://github.com/fu37kola/cve/blob/main/D-Link/DCS-960L/D-Link%20DCS-960L%201.09%20Stack%20overflow_1.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-41997
https://notcve.org/view.php?id=CVE-2024-41997
An issue was discovered in version of Warp Terminal prior to 2024.07.18 (v0.2024.07.16.08.02). A command injection vulnerability exists in the Docker integration functionality. An attacker can create a specially crafted hyperlink using the `warp://action/docker/open_subshell` intent that when clicked by the victim results in command execution on the victim's machine. • https://docs.warp.dev/features/integrations-and-plugins#docker https://docs.warp.dev/getting-started/changelog#id-2024.07.18-v0.2024.07.16.08.02 https://gist.github.com/bhyh/d1ee7a825fce283bf8acbdb42c8a7832 https://github.com/warpdotdev/warp • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8760 – Stackable – Page Builder Gutenberg Blocks <= 3.13.6 - Unauthenticated CSS Injection
https://notcve.org/view.php?id=CVE-2024-8760
The Stackable – Page Builder Gutenberg Blocks plugin for WordPress is vulnerable to CSS Injection in all versions up to, and including, 3.13.6. This makes it possible for unauthenticated attackers to embed untrusted style information into comments resulting in a possibility of data exfiltration such as admin nonces with limited impact. These nonces could be used to perform CSRF attacks within a limited time window. The presence of other plugins may make additional nonces available, which may pose a risk in plugins that don't perform capability checks to protect AJAX actions or other actions reachable by lower-privileged users. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3158674%40stackable-ultimate-gutenberg-blocks%2Ftrunk&old=3156448%40stackable-ultimate-gutenberg-blocks%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/1fd0b13c-7447-45da-9608-80b7629d9bbf?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-45402 – Picotls double free
https://notcve.org/view.php?id=CVE-2024-45402
However, depending on the internals of malloc and the crypto backend being used, the flaw could potentially lead to a use-after-free scenario, which might allow for arbitrary code execution. • https://github.com/h2o/picotls/commit/9b88159ce763d680e4a13b6e8f3171ae923a535d https://github.com/h2o/picotls/security/advisories/GHSA-w7c8-wjx9-vvvv • CWE-415: Double Free •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-21534
https://notcve.org/view.php?id=CVE-2024-21534
Versions of the package jsonpath-plus before 10.0.0 are vulnerable to Remote Code Execution (RCE) due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of vm in Node. **Note:** The unsafe behavior is still available after applying the fix but it is not turned on by default. • https://security.snyk.io/vuln/SNYK-JS-JSONPATHPLUS-7945884 https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-8185019 https://github.com/JSONPath-Plus/JSONPath/commit/6b2f1b4c234292c75912b790bf7e2d7339d4ccd3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •