CVSS: 6.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-33393
https://notcve.org/view.php?id=CVE-2024-33393
An issue in spidernet-io spiderpool v.0.9.3 and before allows a local attacker to execute arbitrary code via a crafted command to get the token component. • https://gist.github.com/HouqiyuA/fdb09caea44c80a5681ca1d30bcd6777 • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-33428
https://notcve.org/view.php?id=CVE-2024-33428
Buffer-Overflow vulnerability at conv.c:68 of stsaz phiola v2.0-rc22 allows a remote attacker to execute arbitrary code via the a crafted .wav file. • https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/heap-buffer-overflow-1/heap-buffer-overflow-1.assets/image-20240420005017430.png https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/heap-buffer-overflow-1/heap-buffer-overflow-1.md https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/heap-buffer-overflow-1/poc https://github.com/Helson-S/FuzzyTesting/tree/master/phiola/heap-buffer-overflow-1 https://github.com/stsaz/phiola/issues/29 • CWE-122: Heap-based Buffer Overflow •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4033 – All-in-One Video Gallery <= 3.6.4 - Authenticated (Contributor+) Arbitrary File Upload via featured image
https://notcve.org/view.php?id=CVE-2024-4033
This makes it possible for authenticated attackers, with contributor access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/functions.php#L140 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3078876%40all-in-one-video-gallery%2Ftrunk&old=3072329%40all-in-one-video-gallery%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/e0f295f9-1090-4b10-abc5-3f73c5b4e28d?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-33300
https://notcve.org/view.php?id=CVE-2024-33300
Typora v1.0.0 through v1.7 version (below) Markdown editor has a cross-site scripting (XSS) vulnerability, which allows attackers to execute arbitrary code by uploading Markdown files. • https://github.com/whoisoo6/Stored-xss-vulnerability-exists-in-Typra • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-33430
https://notcve.org/view.php?id=CVE-2024-33430
An issue in phiola/src/afilter/pcm_convert.h:513 of phiola v2.0-rc22 allows a remote attacker to execute arbitrary code via the a crafted .wav file. • https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/segmentFault-1/poc/I2ZFI3~5 https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/segmentFault-1/segmentFault-1.assets/image-20240420011601263.png https://github.com/Helson-S/FuzzyTesting/blob/master/phiola/segmentFault-1/segmentFault-1.md https://github.com/Helson-S/FuzzyTesting/tree/master/phiola/segmentFault-1 https://github.com/Helson-S/FuzzyTesting/tree/master/phiola/segmentFault-1/poc https://github.com/stsaz/phiola https:/& • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-482: Comparing instead of Assigning •