CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-29672
https://notcve.org/view.php?id=CVE-2024-29672
Directory Traversal vulnerability in zly2006 Reden before v.0.2.514 allows a remote attacker to execute arbitrary code via the DEBUG_RTC_REQUEST_SYNC_DATA in KeyCallbacks.kt. • https://gist.github.com/apple502j/193358682885fe1a6708309ce934e4ed https://github.com/zly2006/reden-is-what-we-made/commit/44c5320f0a1ccaa764dd91df6a12e747f81fe63a • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.6EPSS: 0%CPEs: 24EXPL: 1CVE-2024-31210 – PHP file upload bypass via Plugin installer
https://notcve.org/view.php?id=CVE-2024-31210
If the `DISALLOW_FILE_EDIT` constant is set to `true` on the site _and_ FTP credentials are required when uploading a new theme or plugin, then this technically allows an RCE when the user would otherwise have no means of executing arbitrary PHP code. This issue _only_ affects Administrator level users on single site installations, and Super Admin level users on Multisite installations where it's otherwise expected that the user does not have permission to upload or execute arbitrary PHP code. ... Si la constante `DISALLOW_FILE_EDIT` se establece en `true` en el sitio _y_ se requieren credenciales FTP al cargar un nuevo tema o complemento, entonces esto técnicamente permite un RCE cuando el usuario no tendría medios para ejecutar código PHP arbitrario. • https://github.com/Abo5/CVE-2024-31210 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-x79f-xrjv-jx5r • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-25706 – HTMLi at createFolder Content Injection
https://notcve.org/view.php?id=CVE-2024-25706
There is an HTML injection vulnerability in Esri Portal for ArcGIS <=11.0 that may allow a remote, unauthenticated attacker to craft a URL which, when clicked, could potentially generate a message that may entice an unsuspecting victim to visit an arbitrary website. • https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/portal-for-arcgis-security-2024-update-2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: -EXPL: 0CVE-2023-3454
https://notcve.org/view.php?id=CVE-2023-3454
Remote code execution (RCE) vulnerability in Brocade Fabric OS after v9.0 and before v9.2.0 could allow an attacker to execute arbitrary code and use this to gain root access to the Brocade switch. Vulnerabilidad de ejecución remota de código (RCE) en Brocade Fabric OS posterior a v9.0 y anterior a v9.2.0 podría permitir a un atacante ejecutar código arbitrario y usarlo para obtener acceso raíz al conmutador Brocade. • https://security.netapp.com/advisory/ntap-20240628-0004 https://support.broadcom.com/external/content/SecurityAdvisories/0/23215 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-3298 – Out-Of-Bounds Write and Type Confusion vulnerabilities exist in the DWG and DXF file reading procedure in eDrawings from Release SOLIDWORKS 2023 through Release SOLIDWORKS 2024
https://notcve.org/view.php?id=CVE-2024-3298
These vulnerabilities could allow an attacker to execute arbitrary code while opening a specially crafted DWG or DXF. ... This vulnerability allows remote attackers to execute arbitrary code on affected installations of Dassault Syst��mes eDrawings Viewer. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.3ds.com/vulnerability/advisories • CWE-787: Out-of-bounds Write CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') •