CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-5730 – Pagerank Tools <= 1.1.5 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-5730
07 Jun 2024 — This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. PHPJabbers Cinema Booking System version 2.0 suffers from a remote SQL injection vulnerability. • https://packetstorm.news/files/id/189003 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36774
https://notcve.org/view.php?id=CVE-2024-36774
06 Jun 2024 — An arbitrary file upload vulnerability in Monstra CMS v3.0.4 allows attackers to execute arbitrary code via uploading a crafted PHP file. • https://github.com/OoLs5/VulDiscovery/blob/main/poc.docx • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-2359 – Improper Neutralization of Special Elements used in an OS Command in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2359
06 Jun 2024 — A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. ... By changing the `host` setting to an attacker-controlled value, the restriction on the `/execute_code` endpoint can be bypassed, leading to remote code execution. • https://huntr.com/bounties/62144831-8d4b-4cf2-9737-5e559f7bc67e • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-2360 – Path Traversal leading to Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-2360
06 Jun 2024 — parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings to execute arbitrary code on the targeted server. • https://huntr.com/bounties/65d0ef59-a761-4bbd-86fa-dd8e8621082e • CWE-29: Path Traversal: '\..\filename' •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-3408 – Authentication Bypass and RCE in man-group/dtale
https://notcve.org/view.php?id=CVE-2024-3408
06 Jun 2024 — man-group/dtale version 3.10.0 is vulnerable to an authentication bypass and remote code execution (RCE) due to improper input validation. ... Additionally, the application fails to properly restrict custom filter queries, enabling attackers to execute arbitrary code on the server by bypassing the restriction on the `/update-settings` endpoint, even when `enable_custom_filters` is not enabled. This vulnerability allows attackers to bypass authen... • https://packetstorm.news/files/id/189509 • CWE-20: Improper Input Validation CWE-798: Use of Hard-coded Credentials •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-5187 – Arbitrary File Overwrite in download_model_with_test_data in onnx/onnx
https://notcve.org/view.php?id=CVE-2024-5187
06 Jun 2024 — This vulnerability enables attackers to overwrite any file on the system, potentially leading to remote code execution, deletion of system, personal, or application files, thus impacting the integrity and availability of the system. • https://huntr.com/bounties/50235ebd-3410-4ada-b064-1a648e11237e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5278 – Unrestricted File Upload leading to RCE in gaizhenbiao/chuanhuchatgpt
https://notcve.org/view.php?id=CVE-2024-5278
06 Jun 2024 — This vulnerability, present in the latest version as of 20240310, could lead to stored XSS attacks and potentially result in remote code execution (RCE) on the server hosting the application. gaizhenbiao/chuanhuchatgpt es afectado por una vulnerabilidad de carga de archivos sin restricciones debido a una validación insuficiente de los tipos de archivos cargados en su endpoint `/upload`. ... Esta vulnerabilidad, presente en la última versión 20240310, podría provocar... • https://huntr.com/bounties/ea821d86-941b-40f3-a857-91f758848e05 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3095 – SSRF in Langchain Web Research Retriever in langchain-ai/langchain
https://notcve.org/view.php?id=CVE-2024-3095
06 Jun 2024 — The vulnerability arises because the Web Research Retriever does not restrict requests to remote internet addresses, allowing it to reach local addresses. This flaw enables attackers to execute port scans, access local services, and in some scenarios, read instance metadata from cloud environments. ... This could potentially lead to arbitrary code execution, depending on the nature of the local services. • https://github.com/leoCottret/CVE-2024-30956 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 5.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-3166 – Cross-Site Scripting (XSS) Vulnerability in mintplex-labs/anything-llm
https://notcve.org/view.php?id=CVE-2024-3166
06 Jun 2024 — The vulnerability arises from the application's feature to fetch and embed content from websites into workspaces, which can be exploited to execute arbitrary JavaScript code. In the desktop application, this flaw can be escalated to Remote Code Execution (RCE) due to insecure application settings, specifically the enabling of 'nodeIntegration' and the disabling of 'contextIsolation' in Electron's webPreferences. ... En la aplicación de escritorio, esta... • https://github.com/mintplex-labs/anything-llm/commit/fa27103d032c58904c49b92ee13fabc19a20a5ce • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-4320 – Remote Code Execution due to LFI in '/install_extension' in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-4320
06 Jun 2024 — A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for local file inclusion (LFI) leading to arbitrary code execution. An attacker can exploit this vulnerabilit... • https://github.com/bolkv/CVE-2024-4320 • CWE-29: Path Traversal: '\..\filename' •