Page 412 of 37621 results (0.114 seconds)

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/98ccc604-79c6-4be9-acb0-23fc82a31dfa?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

The Breakdance plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.7.1 via post meta data. ... As a result they can escalate their privileges or execute arbitrary code. • https://breakdance.com/breakdance-1-7-2-now-available-security-update https://www.wordfence.com/threat-intel/vulnerabilities/id/095b23b7-71ab-41eb-b666-73df2e1a7eb4?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 6.0EPSS: 0%CPEs: 3EXPL: 0

A medium severity vulnerability has been identified in the update mechanism of the Phish Alert Button for Outlook, which could allow an attacker to remotely execute arbitrary code on the host machine. ... Since the application fails to properly verify the authenticity of the update file, it will accept and execute the package, leading to arbitrary code execution on the host machine. Impact: Successful exploitation of this vulnerability allows an attacker to execute code with elevated privileges, potentially leading to data theft, installation of further malware, or other malicious activities on the host system. Affected Products: Phish Alert Button (PAB) for Outlook versions 1.10.0-1.10.11 Second Chance Client versions 2.0.0-2.0.9 PIQ Client versions 1.0.0-1.0.15 Remediation: Automated updates will be pushed to address this issue. • https://support.knowbe4.com/hc/en-us/articles/28959755127955-CVE-2024-29209 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 2.8EPSS: 0%CPEs: 3EXPL: 0

This vulnerability allows a regular user to modify the application's configuration file to redirect update checks to an arbitrary server, which can then be exploited in conjunction with CVE-2024-29209 to execute arbitrary code with elevated privileges. The issue stems from improper permission settings on the application's configuration file, which is stored in a common directory accessible to all users. ... If the system is also vulnerable to CVE-2024-29209, the attacker can deliver a malicious update package that, when executed, grants them elevated privileges. Impact: This vulnerability can lead to a regular user executing code with administrative privileges. • https://support.knowbe4.com/hc/en-us/articles/28959854203923-CVE-2024-29210 • CWE-269: Improper Privilege Management •

CVSS: 8.0EPSS: 0%CPEs: 8EXPL: 0

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Ubiquiti Networks EV Station. ... An attacker can leverage this vulnerability to execute code in the context of the adb shell. • https://community.ui.com/releases/Security-Advisory-bulletin-039-039/44e24007-2c2c-4ac0-bebf-3f19b9b24f09 • CWE-284: Improper Access Control •