CVSS: 9.8EPSS: 96%CPEs: 1EXPL: 3CVE-2024-27348 – Apache HugeGraph-Server Improper Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2024-27348
RCE-Remote Command Execution vulnerability in Apache HugeGraph-Server.This issue affects Apache HugeGraph-Server: from 1.0.0 before 1.3.0 in Java8 & Java11 Users are recommended to upgrade to version 1.3.0 with Java11 & enable the Auth system, which fixes the issue. Vulnerabilidad de ejecución remota de comandos RCE en Apache HugeGraph-Server. ... Apache HugeGraph versions 1.0.0 and up to 1.3.0 suffer from a remote command execution vulnerability. ... Apache HugeGraph-Server contains an improper access control vulnerability that could allow a remote attacker to execute arbitrary code. • https://github.com/Zeyad-Azima/CVE-2024-27348 https://github.com/kljunowsky/CVE-2024-27348 https://github.com/jakabakos/CVE-2024-27348-Apache-HugeGraph-RCE http://www.openwall.com/lists/oss-security/2024/04/22/3 https://hugegraph.apache.org/docs/config/config-authentication/#configure-user-authentication https://lists.apache.org/thread/nx6g6htyhpgtzsocybm242781o8w5kq9 • CWE-284: Improper Access Control •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-32418
https://notcve.org/view.php?id=CVE-2024-32418
An issue in flusity CMS v2.33 allows a remote attacker to execute arbitrary code via the add_addon.php component. • https://github.com/PWB003/cms/blob/main/1.md • CWE-269: Improper Privilege Management CWE-284: Improper Access Control •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-28436
https://notcve.org/view.php?id=CVE-2024-28436
Cross Site Scripting vulnerability in D-Link DAP products DAP-2230, DAP-2310, DAP-2330, DAP-2360, DAP-2553, DAP-2590, DAP-2690, DAP-2695, DAP-3520, DAP-3662 allows a remote attacker to execute arbitrary code via the reload parameter in the session_login.php component. • https://djallalakira.medium.com/cve-2024-28436-cross-site-scripting-vulnerability-in-d-link-dap-products-3596976cc99f https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10380 https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10382 https://www.dlink.com/en/security-bulletin • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3499 – ElementsKit Elementor addons <= 3.1.0 - Authenticated (Contributor+) Local File Inclusion via Onepage Scroll Module
https://notcve.org/view.php?id=CVE-2024-3499
This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://plugins.trac.wordpress.org/changeset/3070789/elementskit-lite https://www.wordfence.com/threat-intel/vulnerabilities/id/6158ec37-a6fb-42f9-bab6-bf547ea28ea0?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-32836 – WordPress WP-Lister Lite for eBay plugin <= 3.5.11 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-32836
This makes it possible for authenticated attackers, with shop manager-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/wp-lister-for-ebay/wordpress-wp-lister-lite-for-ebay-plugin-3-5-11-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •