CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34347 – @hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
https://notcve.org/view.php?id=CVE-2024-34347
However, the vm module is not safe for sandboxing untrusted Javascript code. This is because code inside the vm context can break out if it can get a hold of any reference to an object created outside of the vm. • https://github.com/hoppscotch/hoppscotch/commit/22c6eabd133195d22874250a5ae40cb26b851b01 https://github.com/hoppscotch/hoppscotch/security/advisories/GHSA-qmmm-73r2-f8xr • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3807 – Porto <= 7.1.0 - Authenticated (Contributor+) Local File Inclusion via Post Meta
https://notcve.org/view.php?id=CVE-2024-3807
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc3da9e-4b5f-4200-9df9-0ae953571377?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3809 – Porto Theme - Functionality <= 3.0.9 - Authenticated (Contributor+) Local File Inclusion via Post Meta
https://notcve.org/view.php?id=CVE-2024-3809
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/f5cdd3c1-6353-4bee-a4f9-5b7972f0970c?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3808 – Porto Theme - Functionality <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode
https://notcve.org/view.php?id=CVE-2024-3808
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/fea96f84-f75b-4f02-9ca8-f8fda439d565?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3806 – Porto <= 7.1.0 - Unauthenticated Local File Inclusion via porto_ajax_posts
https://notcve.org/view.php?id=CVE-2024-3806
This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://github.com/truonghuuphuc/CVE-2024-3806-AND-CVE-2024-3807-Poc https://themeforest.net/item/porto-responsive-wordpress-ecommerce-theme/9207399 https://www.wordfence.com/threat-intel/vulnerabilities/id/98ccc604-79c6-4be9-acb0-23fc82a31dfa?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •