CVSS: 9.1EPSS: 87%CPEs: 1EXPL: 4CVE-2024-32113 – Apache OFBiz Path Traversal Vulnerability
https://notcve.org/view.php?id=CVE-2024-32113
Apache OFBiz contains a path traversal vulnerability that could allow for remote code execution. • https://www.exploit-db.com/exploits/52020 https://github.com/Mr-xn/CVE-2024-32113 https://github.com/RacerZ-fighting/CVE-2024-32113-POC https://github.com/YongYe-Security/CVE-2024-32113 http://www.openwall.com/lists/oss-security/2024/05/09/1 https://issues.apache.org/jira/browse/OFBIZ-13006 https://lists.apache.org/thread/w6s60okgkxp2th1sr8vx0ndmgk68fqrd https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34347 – @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
https://notcve.org/view.php?id=CVE-2024-34347
However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. • https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01 https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3807 – Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta
https://notcve.org/view.php?id=CVE-2024-3807
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc3da9e-4b5f-4200-9df9-0ae953571377?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3809 – Porto Theme - Functionality <= 3.0.9 - Authenticated (Contributor+) Local File Inclusion via Post Meta
https://notcve.org/view.php?id=CVE-2024-3809
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/f5cdd3c1-6353-4bee-a4f9-5b7972f0970c?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3808 – Porto Theme - Functionality <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode
https://notcve.org/view.php?id=CVE-2024-3808
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/fea96f84-f75b-4f02-9ca8-f8fda439d565?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •