CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-41285
https://notcve.org/view.php?id=CVE-2024-41285
A stack overflow in FAST FW300R v1.3.13 Build 141023 Rel.61347n allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via a crafted file path. • https://gist.github.com/Giles-one/834b2becd7abebc3cabea0484301d149 https://github.com/Giles-one/FW300RouterCrack https://www.fastcom.com.cn/product-8.html • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-45256
https://notcve.org/view.php?id=CVE-2024-45256
An arbitrary file write issue in the exfiltration endpoint in BYOB (Build Your Own Botnet) 2.0 allows attackers to overwrite SQLite databases and bypass authentication via an unauthenticated HTTP request with a crafted parameter. This occurs in file_add in api/files/routes.py. • https://github.com/malwaredllc/byob https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob https://github.com/chebuya/exploits/tree/main/BYOB-RCE • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-42788
https://notcve.org/view.php?id=CVE-2024-42788
This vulnerability allows remote attackers to execute arbitrary code via "title" & "artist" parameter fields. • https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Music%20Management%20System%20v1.0/Stored%20XSS%20-%20Add%20New%20Music%20List.pdf https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43955 – WordPress Droip plugin <= 1.1.1 - Unauthenticated Arbitrary File Download/Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-43955
This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://patchstack.com/database/vulnerability/droip/wordpress-droip-plugin-1-1-1-unauthenticated-arbitrary-file-download-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-45187 – Mage AI allows deleted users to use the terminal server with admin access, leading to remote code execution
https://notcve.org/view.php?id=CVE-2024-45187
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server • https://research.jfrog.com/vulnerabilities/mage-ai-deleted-users-rce-jfsa-2024-001039602 • CWE-266: Incorrect Privilege Assignment •