CVSS: 7.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-30920 – DerbyNet 9.0 render-document.php Cross Site Scripting
https://notcve.org/view.php?id=CVE-2024-30920
Cross Site Scripting vulnerability in DerbyNet v9.0 and below allows a remote attacker to execute arbitrary code via the render-document.php component. • https://chocapikk.com/posts/2024/derbynet-vulnerabilities • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-31083 – Xorg-x11-server: use-after-free in procrenderaddglyphs
https://notcve.org/view.php?id=CVE-2024-31083
This flaw allows an authenticated attacker to execute arbitrary code on the system by sending a specially crafted request. ... An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the ProcRenderAddGlyphs function. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • http://www.openwall.com/lists/oss-security/2024/04/03/13 http://www.openwall.com/lists/oss-security/2024/04/12/10 https://access.redhat.com/errata/RHSA-2024:1785 https://access.redhat.com/errata/RHSA-2024:2036 https://access.redhat.com/errata/RHSA-2024:2037 https://access.redhat.com/errata/RHSA-2024:2038 https://access.redhat.com/errata/RHSA-2024:2039 https://access.redhat.com/errata/RHSA-2024:2040 https://access.redhat.com/errata/RHSA-2024:2041 https:// • CWE-416: Use After Free •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-27448
https://notcve.org/view.php?id=CVE-2024-27448
MailDev 2 through 2.1.0 allows Remote Code Execution via a crafted Content-ID header for an e-mail attachment, leading to lib/mailserver.js writing arbitrary code into the routes.js file. • https://gist.github.com/stypr/fe2003f00959f7e3d92ab9d5260433f8 https://github.com/Tim-Hoekstra/MailDev-2.1.0-Exploit-RCE https://github.com/maildev/maildev/issues/467 https://github.com/maildev/maildev/releases https://intrix.com.au/articles/exposing-major-security-flaw-in-maildev •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-31240 – WordPress WP Poll Maker plugin <= 3.1 - Auth. Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-31240
This makes it possible for authenticated attackers, with subscriber-level access and above, to delete arbitrary files that may make remote code execution possible. • https://patchstack.com/database/vulnerability/epoll-wp-voting/wordpress-wp-poll-maker-plugin-3-1-subscriber-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-30849
https://notcve.org/view.php?id=CVE-2024-30849
Arbitrary file upload vulnerability in Sourcecodester Complete E-Commerce Site v1.0, allows remote attackers to execute arbitrary code via filename parameter in admin/products_photo.php. • https://github.com/wkeyi0x1/vul-report/issues/3 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •