CVSS: 8.7EPSS: 0%CPEs: 22EXPL: 0CVE-2024-1491 – Electrolink FM/DAB/TV Transmitter Missing Authentication for Critical Function
https://notcve.org/view.php?id=CVE-2024-1491
This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-107-02 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.4EPSS: 0%CPEs: 4EXPL: 0CVE-2024-32462 – Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
https://notcve.org/view.php?id=CVE-2024-32462
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. • http://www.openwall.com/lists/oss-security/2024/04/18/5 https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/messa • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3813 – tagDiv Composer <= 4.8 - Authenticated (Contributor+) Local File Inclusion via Shortcode
https://notcve.org/view.php?id=CVE-2024-3813
This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. • https://tagdiv.com/tagdiv-composer-page-builder-basics https://www.wordfence.com/threat-intel/vulnerabilities/id/87b7bc4a-4d2f-4bcb-a9d5-72e31c95c09e?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28890 – Forminator <= 1.28.1 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-28890
If this vulnerability is exploited, a remote attacker may obtain sensitive information by accessing files on the server, alter the site that uses the plugin, and cause a denial-of-service (DoS) condition. ... This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://jvn.jp/en/jp/JVN50132400 https://wordpress.org/plugins/forminator https://wpmudev.com • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-30564
https://notcve.org/view.php?id=CVE-2024-30564
An issue inandrei-tatar nora-firebase-common between v.1.0.41 and v.1.12.2 allows a remote attacker to execute arbitrary code via a crafted script to the updateState parameter of the updateStateInternal method. • https://gist.github.com/mestrtee/5dc2c948c2057f98d3de0a9790903c6c https://github.com/andrei-tatar/nora-firebase-common/commit/bf30b75d51be04f6c1f884561a223226c890f01b • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •