CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-3871 – Authenticated Remote Command Injection in Delta Electronics DVW
https://notcve.org/view.php?id=CVE-2024-3871
This interface implements multiple features that are affected by command injections and stack overflows vulnerabilities. Successful exploitation of these flaws would allow remote unauthenticated attackers to gain remote code execution with elevated privileges on the affected devices. This issue affects DVW-W02W2-E2 through version 2.5.2. • https://onekey.com • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-1961 – Path Traversal leading to Arbitrary File Write and RCE in vertaai/modeldb
https://notcve.org/view.php?id=CVE-2024-1961
This flaw can lead to Remote Code Execution (RCE) by overwriting critical files, such as the application's configuration file, especially when the application is run outside of Docker. ... Esta falla puede provocar la ejecución remota de código (RCE) al sobrescribir archivos críticos, como el archivo de configuración de la aplicación, especialmente cuando la aplicación se ejecuta fuera de Docker. • https://huntr.com/bounties/5f602914-3e5d-407a-b8ce-fb444a4e8bb3 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-3571 – Path Traversal in langchain-ai/langchain
https://notcve.org/view.php?id=CVE-2024-3571
An attacker can leverage this vulnerability to read or write files anywhere on the filesystem, potentially leading to information disclosure or remote code execution. • https://github.com/langchain-ai/langchain/commit/aad3d8bd47d7f5598156ff2bdcc8f736f24a7412 https://huntr.com/bounties/2df3acdc-ee4f-4257-bbf8-a7de3870a9d8 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2912 – Insecure Deserialization Leading to RCE in bentoml/bentoml
https://notcve.org/view.php?id=CVE-2024-2912
An insecure deserialization vulnerability exists in the BentoML framework, allowing remote code execution (RCE) by sending a specially crafted POST request. By exploiting this vulnerability, attackers can execute arbitrary commands on the server hosting the BentoML application. The vulnerability is triggered when a serialized object, crafted to execute OS commands upon deserialization, is sent to any valid BentoML endpoint. ... Existe una vulnerabilidad de deserialización insegura en el framework BentoML, que permite la ejecución remota de código (RCE) mediante el envío de una solicitud POST especialmente manipulada. • https://github.com/bentoml/bentoml/commit/fd70379733c57c6368cc022ac1f841b7b426db7b https://huntr.com/bounties/349a1cce-6bb5-4345-82a5-bf7041b65a68 • CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-3271 – Command Injection in run-llama/llama_index
https://notcve.org/view.php?id=CVE-2024-3271
Attackers can bypass the intended security mechanism, which checks for the presence of underscores in code generated by LLM, to execute arbitrary code. ... The vulnerability allows for remote code execution (RCE) on the server hosting the application. ... La vulnerabilidad permite la ejecución remota de código (RCE) en el servidor que aloja la aplicación. • https://github.com/run-llama/llama_index/commit/5fbcb5a8b9f20f81b791c7fc8849e352613ab475 https://huntr.com/bounties/9b32490e-7cf9-470e-8d49-ba083ae7a279 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •