CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34069 – Werkzeug's improper usage of a pathname and improper CSRF protection results in the remote command execution
https://notcve.org/view.php?id=CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. ... A flaw was found in Werkzeug, where an attacker may be able to execute code on a developer's machine under some circumstances. • https://github.com/pallets/werkzeug/commit/3386395b24c7371db11a5b8eaac0c91da5362692 https://github.com/pallets/werkzeug/security/advisories/GHSA-2g68-c3qc-8985 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4SH32AM3CTPMAAEOIDAN7VU565LO4IR https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HFERFN7PINV4MOGMGA3DPIXJPDCYOEJZ https://security.netapp.com/advisory/ntap-20240614-0004 https://access.redhat.com/security/cve/CVE-2024-34069 https://bugzilla.redhat. • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-27281 – ruby: RCE vulnerability with .rdoc_options in RDoc
https://notcve.org/view.php?id=CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) ... This issue may lead to object injection, resulting in remote code execution. • https://hackerone.com/reports/1187477 https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281 https://access.redhat.com/security/cve/CVE-2024-27281 https://bugzilla.redhat.com/show_bug.cgi? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49675 – CODESYS: Out-of-bounds write through corrupted project files
https://notcve.org/view.php?id=CVE-2023-49675
An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write vulnerability. • https://cert.vde.com/en/advisories/VDE-2024-024 • CWE-787: Out-of-bounds Write •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34416 – WordPress Pk Favicon Manager plugin <= 2.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-34416
This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/phpsword-favicon-manager/wordpress-pk-favicon-manager-plugin-2-1-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-33294
https://notcve.org/view.php?id=CVE-2024-33294
An issue in Library System using PHP/MySQli with Source Code V1.0 allows a remote attacker to execute arbitrary code via the _FAILE variable in the student_edit_photo.php component. Un problema en el sistema de librería que usa PHP/MySQli con Source Code V1.0 permite a un atacante remoto ejecutar código arbitrario a través de la variable _FAILE en el componente Student_edit_photo.php. • https://github.com/CveSecLook/cve/issues/16 • CWE-94: Improper Control of Generation of Code ('Code Injection') •