CVE-2024-37869
https://notcve.org/view.php?id=CVE-2024-37869
File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "poster.php" file, and the uploaded file was received using the "$- FILES" variable • https://gist.github.com/TERRENCE-REX/7e5dfdd3583bf9fd81196f557a8b8879 https://github.com/TERRENCE-REX/CVE/issues/2 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-41925 – Optigo Networks ONS-S8 Spectra Aggregation Switch PHP Remote File Inclusion
https://notcve.org/view.php?id=CVE-2024-41925
The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-275-01 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVE-2024-41988 – Missing Authentication for Critical Function vulnerability in TEM Opera Plus FM Family Transmitter
https://notcve.org/view.php?id=CVE-2024-41988
This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-01 • CWE-306: Missing Authentication for Critical Function •
CVE-2024-47561 – Apache Avro Java SDK: Arbitrary Code Execution when reading Avro schema (Java SDK)
https://notcve.org/view.php?id=CVE-2024-47561
Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4 or 1.12.0, which fix this issue. ... This flaw allows an attacker to trigger remote code execution by using the special "java-class" attribute. • https://lists.apache.org/thread/c2v7mhqnmq0jmbwxqq3r5jbj1xg43h5x https://access.redhat.com/security/cve/CVE-2024-47561 https://bugzilla.redhat.com/show_bug.cgi?id=2316116 • CWE-502: Deserialization of Untrusted Data •
CVE-2024-41593
https://notcve.org/view.php?id=CVE-2024-41593
DrayTek Vigor310 devices through 4.3.2.6 allow a remote attacker to execute arbitrary code via the function ft_payload_dns(), because a byte sign-extension operation occurs for the length argument of a _memcpy call, leading to a heap-based Buffer Overflow. • https://www.forescout.com/resources/draybreak-draytek-research https://www.forescout.com/resources/draytek14-vulnerabilities •