CVSS: 7.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-9393 – firefox: thunderbird: Cross-origin access to PDF contents through multipart responses
https://notcve.org/view.php?id=CVE-2024-9393
An attacker could, via a specially crafted multipart response, execute arbitrary JavaScript under the `resource://pdf.js` origin. This could allow them to access cross-origin PDF content. This access is limited to "same site" documents by the Site Isolation feature on desktop clients, but full cross-origin access is possible on Android versions. This vulnerability affects Firefox < 131, Firefox ESR < 128.3, Firefox ESR < 115.16, Thunderbird < 128.3, and Thunderbird < 131. A flaw was found in Mozilla. • https://bugzilla.mozilla.org/show_bug.cgi?id=1918301 https://www.mozilla.org/security/advisories/mfsa2024-46 https://www.mozilla.org/security/advisories/mfsa2024-47 https://www.mozilla.org/security/advisories/mfsa2024-48 https://www.mozilla.org/security/advisories/mfsa2024-49 https://www.mozilla.org/security/advisories/mfsa2024-50 https://access.redhat.com/security/cve/CVE-2024-9393 https://bugzilla.redhat.com/show_bug.cgi?id=2315956 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-346: Origin Validation Error •
CVSS: 5.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-44744
https://notcve.org/view.php?id=CVE-2024-44744
An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. NOTE: Malwarebytes argues that this issue requires admin privileges and that the contents cannot be altered by non-admin users. • https://googleprojectzero.blogspot.com/2016/02/the-definitive-guide-on-win32-to-nt.html https://medium.com/%40danielshaulov01/malwarebytes-premium-security-av-bypass-cve-2024-44744-97bb6192ed4a • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-46080
https://notcve.org/view.php?id=CVE-2024-46080
Scriptcase v9.10.023 and before is vulnerable to Remote Code Execution (RCE) via the nm_zip function. • https://blog.hawktesters.com/zero-day-alert-scriptcase-vulnerabilities-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8254 – Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-8254
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. • https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4ae4a7-aec1-4cc1-bea0-61dde44027fc?source=cve https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.7.29/lite/includes/class-es-common.php#L244 https://plugins.trac.wordpress.org/changeset/3157336 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-45874 – VegaBird Vooki 5.2.9 DLL Hijacking
https://notcve.org/view.php?id=CVE-2024-45874
A DLL hijacking vulnerability in VegaBird Vooki 5.2.9 allows attackers to execute arbitrary code / maintain persistence via placing a crafted DLL file in the same directory as Vooki.exe. VegaBird Vooki version 5.2.9 suffers from a dll hijacking vulnerability. • http://vegabird.com https://sploitus.com/exploit?id=PACKETSTORM:181913 • CWE-94: Improper Control of Generation of Code ('Code Injection') •