CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47836 – Admidio vulnerable to HTML Injection In The Messages Section
https://notcve.org/view.php?id=CVE-2024-47836
Prior to version 4.3.12, an unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server. • https://github.com/Admidio/admidio/security/advisories/GHSA-7c4c-749j-pfp2 • CWE-502: Deserialization of Untrusted Data •
CVSS: -EPSS: 0%CPEs: 4EXPL: 0CVE-2024-9143 – Low-level invalid GF(2^m) parameters lead to OOB memory access
https://notcve.org/view.php?id=CVE-2024-9143
Issue summary: Use of the low-level GF(2^m) elliptic curve APIs with untrusted explicit values for the field polynomial can lead to out-of-bounds memory reads or writes. Impact summary: Out of bound memory writes can lead to an application crash or even a possibility of a remote code execution, however, in all the protocols involving Elliptic Curve Cryptography that we're aware of, either only "named curves" are supported, or, if explicit curve parameters are supported, they specify an X9.62 encoding of binary (GF(2^m)) curves that can't represent problematic input values. ... Remote code execution cannot easily be ruled out. The FIPS modules in 3.3, 3.2, 3.1 and 3.0 are not affected by this issue. • https://github.com/openssl/openssl/commit/72ae83ad214d2eef262461365a1975707f862712 https://github.com/openssl/openssl/commit/bc7e04d7c8d509fb78fc0e285aa948fb0da04700 https://github.com/openssl/openssl/commit/c0d3e4d32d2805f49bec30547f225bc4d092e1f4 https://github.com/openssl/openssl/commit/fdf6723362ca51bd883295efe206cb5b1cfa5154 https://github.openssl.org/openssl/extended-releases/commit/8efc0cbaa8ebba8e116f7b81a876a4123594d86a https://github.openssl.org/openssl/extended-releases/commit/9d576994cec2b7aa37a91740ea7e680810957e41 https://openssl-library.org/news/secadv/20241016.txt • CWE-787: Out-of-bounds Write •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9348 – Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view
https://notcve.org/view.php?id=CVE-2024-9348
Docker Desktop before v4.34.3 allows RCE via unsanitized GitHub source link in Build view. Docker Desktop anterior a v4.34.3 permite RCE a través de un enlace de origen de GitHub no desinfectado en la vista de compilación. • https://docs.docker.com/desktop/release-notes/#4343 • CWE-20: Improper Input Validation CWE-116: Improper Encoding or Escaping of Output •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-45257 – BYOB Unauthenticated Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-45257
https://blog.chebuya.com/posts/unauthenticated-remote-command-execution-on-byob •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-49254 – WordPress ajax-extend plugin <= 1.0 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-49254
Improper Control of Generation of Code ('Code Injection') vulnerability in Sunjianle allows Code Injection.This issue affects ajax-extend: from n/a through 1.0. • https://patchstack.com/database/vulnerability/ajax-extend/wordpress-ajax-extend-plugin-1-0-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •