CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11082 – Tumult Hype Animations <= 1.9.15 - Authenticated (Author+) Arbitrary File Upload via hypeanimations_panel Function
https://notcve.org/view.php?id=CVE-2024-11082
27 Nov 2024 — This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/tumult/hype-wordpress-plugin/commit/1702d3d4fd0fae9cb9fc40cdfc3dfb8584d5f04c • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 3EXPL: 8CVE-2024-42327 – SQL injection in user.get API
https://notcve.org/view.php?id=CVE-2024-42327
27 Nov 2024 — An SQLi exists in the CUser class in the addRelatedObjects function, this function is being called from the CUser.get function which is available for every user who has API access. ... Existe una SQLi en la clase CUser en la función addRelatedObjects; esta función se llama desde la función CUser.get, que está disponible para todos los usuarios que tienen acceso a la API. Proof of concept exploit for an authenticated remote SQL Injection vulnerability in Zabbix through the user.ge... • https://github.com/BridgerAlderson/Zabbix-CVE-2024-42327-SQL-Injection-RCE • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52959 – iota C.ai Conversational Platform - Improper Control of Generation of Code ('Code Injection')
https://notcve.org/view.php?id=CVE-2024-52959
27 Nov 2024 — A Improper Control of Generation of Code ('Code Injection') vulnerability in plugin management in iota C.ai Conversational Platform from 1.0.0 through 2.1.3 allows remote authenticated users to perform arbitrary system commands via a DLL file. • https://zuso.ai/advisory/za-2024-12 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53676 – Hewlett Packard Enterprise Insight Remote Support processAtatchmentDataStream Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-53676
27 Nov 2024 — A directory traversal vulnerability in Hewlett Packard Enterprise Insight Remote Support may allow remote code execution. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Insight Remote Support. ... An attacker can leverage this vulnerability to execute code in the context of SYSTEM. • https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04731en_us • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52951 – Omada Identity Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-52951
27 Nov 2024 — Stored Cross-Site Scripting in the Access Request History in Omada Identity before version 15 update 1 allows an authenticated attacker to execute arbitrary code in the browser of a victim via a specially crafted link or by viewing a manipulated Access Request History Omada Identity versions prior to 15U1 and 14.14 hotfix #309 suffer from a persistent cross site scripting vulnerability. • https://omadaidentity.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53603
https://notcve.org/view.php?id=CVE-2024-53603
27 Nov 2024 — A SQL Injection vulnerability was found in /covid-tms/password-recovery.php in PHPGurukul COVID 19 Testing Management System v1.0, which allows remote attackers to execute arbitrary code via the contactno POST request parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/COVID19/SQL%20Injection%20vulnerability.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53635
https://notcve.org/view.php?id=CVE-2024-53635
27 Nov 2024 — A Reflected Cross Site Scripting (XSS) vulnerability was found in /covid-tms/patient-search-report.php in PHPGurukul COVID 19 Testing Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata POST request parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/COVID19/Reflected%20Cross%20Site%20Scripting.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-53920
https://notcve.org/view.php?id=CVE-2024-53920
27 Nov 2024 — In elisp-mode.el in GNU Emacs through 30.0.92, a user who chooses to invoke elisp-completion-at-point (for code completion) on untrusted Emacs Lisp source code can trigger unsafe Lisp macro expansion that allows attackers to execute arbitrary code. (This unsafe expansion also occurs if a user chooses to enable on-the-fly diagnosis that byte compiles untrusted Emacs Lisp source code.) • https://eshelyaron.com/posts/2024-11-27-emacs-aritrary-code-execution-and-how-to-avoid-it.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-8672 – Widget Options – The #1 WordPress Widget & Block Control Plugin <= 4.0.7 - Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-8672
27 Nov 2024 — The Widget Options – The #1 WordPress Widget & Block Control Plugin plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.0.7 via the display logic functionality that extends several page builders. ... This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. • https://github.com/Chocapikk/CVE-2024-8672 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-53604
https://notcve.org/view.php?id=CVE-2024-53604
27 Nov 2024 — A SQL Injection vulnerability was found in /covid-tms/check_availability.php in PHPGurukul COVID 19 Testing Management System v1.0, which allows remote attackers to execute arbitrary code via the mobnumber POST request parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/COVID19/SQL%20Injection%20vulnerability%20mo.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •