CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 4CVE-2024-25641 – Cacti RCE vulnerability when importing packages
https://notcve.org/view.php?id=CVE-2024-25641
Prior to version 1.2.27, an arbitrary file write vulnerability, exploitable through the "Package Import" feature, allows authenticated users having the "Import Templates" permission to execute arbitrary PHP code on the web server. ... This can be exploited to write or overwrite arbitrary files on the web server, leading to execution of arbitrary PHP code or other security impacts. ... Cacti versions prior to 1.2.27 suffer from an arbitrary file write vulnerability that allows for remote code execution. • https://github.com/StopThatTalace/CVE-2024-25641-CACTI-RCE-1.2.26 https://github.com/5ma1l/CVE-2024-25641 https://github.com/thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26 https://github.com/Safarchand/CVE-2024-25641 http://seclists.org/fulldisclosure/2024/May/6 https://github.com/Cacti/cacti/commit/eff35b0ff26cc27c82d7880469ed6d5e3bef6210 https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88 https://lists.fedoraproject.org/archives/li • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2024-29212
https://notcve.org/view.php?id=CVE-2024-29212
Due to an unsafe de-serialization method used by the Veeam Service Provider Console(VSPC) server in communication between the management agent and its components, under certain conditions, it is possible to perform Remote Code Execution (RCE) on the VSPC server machine. Debido a un método de deserialización inseguro utilizado por el servidor Veeam Service Provider Console (VSPC) en la comunicación entre el agente de administración y sus componentes, bajo ciertas condiciones, es posible realizar la ejecución remota de código (RCE) en la máquina del servidor VSPC. • https://www.veeam.com/kb4575 • CWE-502: Deserialization of Untrusted Data •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-32700 – WordPress Kognetiks Chatbot for WordPress plugin <= 2.0.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-32700
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://github.com/nastar-id/CVE-2024-32700 https://patchstack.com/database/vulnerability/chatbot-chatgpt/wordpress-kognetiks-chatbot-for-wordpress-plugin-2-0-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-4701 – Path Traversal vulnerability via File Uploads in Genie
https://notcve.org/view.php?id=CVE-2024-4701
A path traversal issue potentially leading to remote code execution in Genie for all versions prior to 4.3.18 Un problema de Path Traversal que podría provocar la ejecución remota de código en Genie para todas las versiones anteriores a la 4.3.18 • https://github.com/JoeBeeton/CVE-2024-4701-POC https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-001.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34359 – llama-cpp-python vulnerable to Remote Code Execution by Server-Side Template Injection in Model Metadata
https://notcve.org/view.php?id=CVE-2024-34359
This allows `jinja2` Server Side Template Injection which leads to remote code execution by a carefully constructed payload. llama-cpp-python son los enlaces de Python para llama.cpp. • https://github.com/abetlen/llama-cpp-python/commit/b454f40a9a1787b2b5659cd2cb00819d983185df https://github.com/abetlen/llama-cpp-python/security/advisories/GHSA-56xg-wfcc-g829 • CWE-76: Improper Neutralization of Equivalent Special Elements •