CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-28888
https://notcve.org/view.php?id=CVE-2024-28888
A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. • https://talosintelligence.com/vulnerability_reports/TALOS-2024-1967 https://www.foxit.com/support/security-bulletins.html • CWE-416: Use After Free •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9174 – Stored HTML Injection in Hubshare social module
https://notcve.org/view.php?id=CVE-2024-9174
Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI • https://product.m-files.com/security-advisories/cve-2024-9174 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-45186
https://notcve.org/view.php?id=CVE-2024-45186
FileSender before 2.49 allows server-side template injection (SSTI) for retrieving credentials. • https://filesender.org/vulnerability-in-filesender-versions-below-2-49-and-3-x-beta • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-9394 – firefox: thunderbird: Cross-origin access to JSON contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9394
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://devtools` origin. This could allow them to access cross-origin JSON content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918874 https://www.mozilla.org/security/advisories/mfsa2024-46 https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.mozilla.org/security/advisories/mfsa2024-48 https://www.mozilla.org/security/advisories/mfsa2024-49 https://www.mozilla.org/security/advisories/mfsa2024-50 https://access.redhat.com/security/cve/CVE-2024-9394 https://bugzilla.redhat.com/show_bug.cgi?id=2315957 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-9393 – firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9393
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 https://www.mozilla.org/security/advisories/mfsa2024-46 https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.mozilla.org/security/advisories/mfsa2024-48 https://www.mozilla.org/security/advisories/mfsa2024-49 https://www.mozilla.org/security/advisories/mfsa2024-50 https://access.redhat.com/security/cve/CVE-2024-9393 https://bugzilla.redhat.com/show_bug.cgi?id=2315956 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-346: Origin Validation Error •