CVSS: 6.6EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50333 – RCE in ModuleBuilder in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50333
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89 • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9307 – mFolio Lite <= 1.2.1 - Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG Files
https://notcve.org/view.php?id=CVE-2024-9307
This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file. • https://wordpress.org/plugins/mfolio-lite/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/3b4012dd-7c0a-45f1-8ada-8f9dc6867e1e?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9579 – Certain Poly Video Conference Devices – Potential Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-9579
A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself. Se descubrió una vulnerabilidad potencial en ciertos dispositivos de videoconferencia de Poly. El fallo del firmware no desinfecta adecuadamente la entrada del usuario. • https://support.hp.com/us-en/document/ish_11536495-11536533-16/hpsbpy03900 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.6EPSS: 0%CPEs: -EXPL: 0CVE-2023-29119 – Unauthorized SQLite Injection
https://notcve.org/view.php?id=CVE-2023-29119
Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 0%CPEs: -EXPL: 0CVE-2023-29118 – Unauthorized SQLite Injection in Enel X Juicebox
https://notcve.org/view.php?id=CVE-2023-29118
Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/versions.php. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •