CVE-2024-33369
https://notcve.org/view.php?id=CVE-2024-33369
Directory Traversal vulnerability in Plasmoapp RPShare Fabric mod v.1.0.0 allows a remote attacker to execute arbitrary code via the getFileNameFromConnection method in DownloadTask • https://gist.github.com/apple502j/54e0f80bfe082fd934e33970394adbb8 https://github.com/plasmoapp/RPShare • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-47175 – libppd's ppdCreatePPDFromIPP2 function does not sanitize IPP attributes when creating the PPD buffer
https://notcve.org/view.php?id=CVE-2024-47175
This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176. • https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8 https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47 https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5 https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6 https://www.cups.org https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I https://access.redhat.com/security/cve/CVE-2024-47175 https://b • CWE-20: Improper Input Validation CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVE-2024-47180 – Shields.io Remote Code Execution vulnerability in Dynamic JSON/TOML/YAML badges
https://notcve.org/view.php?id=CVE-2024-47180
Shields.io is a service for concise, consistent, and legible badges in SVG and raster format. Shields.io and users self-hosting their own instance of shields using version < `server-2024-09-25` are vulnerable to a remote execution vulnerability via the JSONPath library used by the Dynamic JSON/Toml/Yaml badges. This vulnerability would allow any user with access to make a request to a URL on the instance to the ability to execute code by crafting a malicious JSONPath expression. All users who self-host an instance are vulnerable. This problem was fixed in server-2024-09-25. • https://github.com/badges/shields/commit/ec1b6c8daccda075403c1688ac02603f7aaa50b2 https://github.com/badges/shields/issues/10553 https://github.com/badges/shields/pull/10551 https://github.com/badges/shields/security/advisories/GHSA-rxvx-x284-4445 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2024-47169 – Agnai vulnerable to Remote Code Execution via JS Upload using Directory Traversal
https://notcve.org/view.php?id=CVE-2024-47169
Agnai is an artificial-intelligence-agnostic multi-user, mult-bot roleplaying chat system. A vulnerability in versions prior to 1.0.330 permits attackers to upload arbitrary files to attacker-chosen locations on the server, including JavaScript, enabling the execution of commands within those files. This issue could result in unauthorized access, full server compromise, data leakage, and other critical security threats. This does not affect `agnai.chat`, installations using S3-compatible storage, or self-hosting that is not publicly exposed. This does affect publicly hosted installs without S3-compatible storage. • https://github.com/agnaistic/agnai/security/advisories/GHSA-mpch-89gm-hm83 • CWE-35: Path Traversal: '.../...//' CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2022-49038
https://notcve.org/view.php?id=CVE-2022-49038
Inclusion of functionality from untrusted control sphere vulnerability in OpenSSL DLL component in Synology Drive Client before 3.3.0-15082 allows local users to execute arbitrary code via unspecified vectors. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_10 • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •