CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-51142
https://notcve.org/view.php?id=CVE-2024-51142
Cross Site Scripting vulnerability in Chamilo LMS v.1.11.26 allows an attacker to execute arbitrary code via the svkey parameter of the storageapi.php file. • https://infosecwriteups.com/chamilo-lms-authentication-bypass-and-cross-site-scripting-stored-3fcb874ac7c1 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10728 – PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10728
This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://plugins.trac.wordpress.org/browser/ultimate-post/tags/4.1.16/classes/Importer.php#L94 https://plugins.trac.wordpress.org/browser/ultimate-post/tags/4.1.16/classes/Initialization.php#L330 https://plugins.trac.wordpress.org/changeset/3188636/ultimate-post/trunk/classes/Importer.php https://wordpress.org/plugins/ultimate-post https://www.wordfence.com/threat-intel/vulnerabilities/id/076f36fb-c2fb-43e0-a027-1351d3995489?source=cve • CWE-862: Missing Authorization •
CVSS: 8.8EPSS: 4%CPEs: -EXPL: 0CVE-2024-44625
https://notcve.org/view.php?id=CVE-2024-44625
Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. • https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs https://gogs.io • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52427 – WordPress Event Tickets with Ticket Scanner plugin <= 2.3.11 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-52427
The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/event-tickets-with-ticket-scanner/wordpress-event-tickets-with-ticket-scanner-plugin-2-3-11-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52429 – WordPress WP Quick Setup plugin <= 2.0 - Arbitrary Plugin and Theme Installation to Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-52429
This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins and themes which can be leveraged to achieve remote code execution. • https://patchstack.com/database/vulnerability/wp-quick-setup/wordpress-wp-quick-setup-plugin-2-0-arbitrary-plugin-and-theme-installation-to-remote-code-execution-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •