CVSS: 4.5EPSS: %CPEs: -EXPL: 0CVE-2024-27281 – ruby: RCE vulnerability with .rdoc_options in RDoc
https://notcve.org/view.php?id=CVE-2024-27281
When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. (When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache.) ... This issue may lead to object injection, resulting in remote code execution. • https://hackerone.com/reports/1187477 https://www.ruby-lang.org/en/news/2024/03/21/rce-rdoc-cve-2024-27281 https://access.redhat.com/security/cve/CVE-2024-27281 https://bugzilla.redhat.com/show_bug.cgi? • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-49675 – CODESYS: Out-of-bounds write through corrupted project files
https://notcve.org/view.php?id=CVE-2023-49675
An unauthenticated local attacker may trick a user to open corrupted project files to execute arbitrary code or crash the system due to an out-of-bounds write vulnerability. • https://cert.vde.com/en/advisories/VDE-2024-024 • CWE-787: Out-of-bounds Write •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34416 – WordPress Pk Favicon Manager plugin <= 2.1 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-34416
This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/phpsword-favicon-manager/wordpress-pk-favicon-manager-plugin-2-1-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-33294
https://notcve.org/view.php?id=CVE-2024-33294
An issue in Library System using PHP/MySQli with Source Code V1.0 allows a remote attacker to execute arbitrary code via the _FAILE variable in the student_edit_photo.php component. Un problema en el sistema de librería que usa PHP/MySQli con Source Code V1.0 permite a un atacante remoto ejecutar código arbitrario a través de la variable _FAILE en el componente Student_edit_photo.php. • https://github.com/CveSecLook/cve/issues/16 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34411 – WordPress canvasio3D Light plugin <= 2.5.0 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-34411
This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/canvasio3d-light/wordpress-canvasio3d-light-plugin-2-5-0-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •