CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32656 – Ant Media Server vulnerable to local privilege escalation
https://notcve.org/view.php?id=CVE-2024-32656
Any unprivileged operating system user can connect to the JMX service running on port 5599/TCP on localhost and leverage the MLet Bean within JMX to load a remote MBean from an attacker-controlled server. This allows an attacker to execute arbitrary code within the Java process run by Ant Media Server and execute code within the context of the `antmedia` service account on the system. • https://github.com/ant-media/Ant-Media-Server/commit/9cb38500729e0ff302da0290b9cfe1ec4dd6c764 https://github.com/ant-media/Ant-Media-Server/security/advisories/GHSA-qwhw-hh9j-54f5 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 96%CPEs: 2EXPL: 14CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2024-4040
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. ... CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS). • https://github.com/entroychang/CVE-2024-4040 https://github.com/Mohammaddvd/CVE-2024-4040 https://github.com/Praison001/CVE-2024-4040-CrushFTP-server https://github.com/airbus-cert/CVE-2024-4040 https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC https://github.com/gotr00t0day/CVE-2024-4040 https://github.com/rbih-boulanouar/CVE-2024-4040 https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability https://github.com/olebris/CVE-2024-4040 https://github.com&# • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 3CVE-2024-27348 – Apache HugeGraph-Server Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2024-27348
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. Vulnerabilidad de ejecución remota de comandos RCE en Apache HugeGraph-Server. ... Apache HugeGraph versions 1.0.0 and up to 1.3.0 suffer from a remote command execution vulnerability. ... Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. • https://github.com/Zeyad-Azima/CVE-2024-27348 https://github.com/kljunowsky/CVE-2024-27348 https://github.com/jakabakos/CVE-2024-27348-Apache-HugeGraph-RCE http://www.openwall.com/lists/oss-security/2024/04/22/3 https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-32418
https://notcve.org/view.php?id=CVE-2024-32418
An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component. • https://github.com/PWB003/cms/blob/main/1.md • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-28436
https://notcve.org/view.php?id=CVE-2024-28436
Cross Site Scripting vulnerability in D-Link DAP products DAP-2230, DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2590, DAP-2690, DAP-2695, DAP-3520, DAP-3662 allows a remote attacker to execute arbitrary code via the reload parameter in the session_login.php component. • https://djallalakira.medium.com/cve-2024-28436-cross-site-scripting-vulnerability-in-d-link-dap-products-3596976cc99f https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10380 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10382 https://www.dlink.com/en/security-bulletin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •