CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2024-32651 – Server Side Template Injection in Jinja2 allows Remote Command Execution
https://notcve.org/view.php?id=CVE-2024-32651
There is a Server Side Template Injection (SSTI) in Jinja2 that allows Remote Command Execution on the server host. ... Esto se puede reducir si la detección de cambios está detrás de una página de inicio de sesión, pero la aplicación no lo requiere (no es de forma predeterminada ni obligatorio). changedetection versions 0.45.20 and below suffer from a remote code execution vulnerability. • https://github.com/zcrosman/cve-2024-32651 https://github.com/s0ck3t-s3c/CVE-2024-32651-changedetection-RCE https://blog.hacktivesecurity.com/index.php/2024/05/08/cve-2024-32651-server-side-template-injection-changedetection-io https://github.com/dgtlmoon/changedetection.io/releases/tag/0.45.21 https://github.com/dgtlmoon/changedetection.io/security/advisories/GHSA-4r7v-whpg-8rx3 https://www.onsecurity.io/blog/server-side-template-injection-with-jinja2 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0916 – Unauthenticated Remote Code Execution in UvDesk Community
https://notcve.org/view.php?id=CVE-2024-0916
Unauthenticated file upload allows remote code execution. This issue affects UvDesk Community: from 1.0.0 through 1.1.3. • https://github.com/uvdesk/core-framework/pull/706 https://pentraze.com/vulnerability-reports • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25624 – iris-web vulnerable to Server Side Template Injection in reports
https://notcve.org/view.php?id=CVE-2024-25624
Successful exploitation of the vulnerability can lead to an arbitrary Remote Code Execution. • https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m64w-f7fg-hpcr • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-33628 – WordPress XforWooCommerce plugin <= 2.0.2 - Authenticated Local File Inclusion vulnerability
https://notcve.org/view.php?id=CVE-2024-33628
This makes it possible for authenticated attackers, with subscriber-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://patchstack.com/database/vulnerability/xforwoocommerce/wordpress-xforwoocommerce-plugin-2-0-2-authenticated-local-file-inclusion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 5.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-31574
https://notcve.org/view.php?id=CVE-2024-31574
Cross Site Scripting vulnerability in TWCMS v.2.6 allows a local attacker to execute arbitrary code via a crafted script La vulnerabilidad de Cross-Site Scripting en TWCMS v.2.6 permite a un atacante local ejecutar código arbitrario a través de un script manipulado. • https://github.com/ysl1415926/cve/blob/main/CVE-2024-31574.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •