CVSS: -EPSS: 0%CPEs: -EXPL: 1CVE-2024-33896 – Ewon Cosy+ Command Injection
https://notcve.org/view.php?id=CVE-2024-33896
Cosy+ devices running a firmware 21.x below 21.2s10 or a firmware 22.x below 22.1s3 are vulnerable to code injection due to improper parameter blacklisting. • https://github.com/codeb0ss/CVE-2024-33896-PoC https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf https://www.ewon.biz/products/cosy/ewon-cosy-wifi https://www.hms-networks.com/cyber-security https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6715 – Ditty 3.1.39-3.1.45 - Author+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-6715
The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Content Title' field in versions 3.1.39 to 3.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was previously patched as CVE-2024-3939 and was recently reintroduced. • https://wpscan.com/vulnerability/19406acc-3441-4d4a-9163-ace8f1dceb78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41956 – Soft Serve allows arbitrary code execution by crafting git-lfs requests
https://notcve.org/view.php?id=CVE-2024-41956
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5. • https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2f • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-7093 – Server-Side Template Injection in Dispatch Message Templates
https://notcve.org/view.php?id=CVE-2024-7093
Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41961 – Elektra vulnerable to remote code execution in universal search
https://notcve.org/view.php?id=CVE-2024-41961
A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. • https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02 https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q • CWE-94: Improper Control of Generation of Code ('Code Injection') •