CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29890 – Remote code execution in datalens-ui
https://notcve.org/view.php?id=CVE-2024-29890
A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. • https://github.com/datalens-tech/datalens/security/advisories/GHSA-6278-2wvc-4p93 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29202 – JumpServer vulnerable to Jinja2 template injection in Ansible leads to RCE in Celery
https://notcve.org/view.php?id=CVE-2024-29202
Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute arbitrary code within the Celery container. • https://github.com/jumpserver/jumpserver/security/advisories/GHSA-2vvr-vmvx-73ch • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29201 – JumpServer's insecure Ansible playbook validation leads to RCE in Celery
https://notcve.org/view.php?id=CVE-2024-29201
Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code within the Celery container. • https://github.com/jumpserver/jumpserver/security/advisories/GHSA-pjpp-cm9x-6rwj • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31114 – WordPress Shortcode Addons <= 3.2.5 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-31114
This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/shortcode-addons/wordpress-shortcode-addons-3-2-5-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31115 – WordPress Chauffeur Taxi Booking System for WordPress plugin <= 7.2 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-31115
This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/chauffeur-booking-system/wordpress-chauffeur-taxi-booking-system-for-wordpress-plugin-6-9-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •