CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-31032
https://notcve.org/view.php?id=CVE-2024-31032
An issue in Huashi Private Cloud CDN Live Streaming Acceleration Server hgateway-sixport v.1.1.2 allows a remote attacker to execute arbitrary code via the manager/ipping.php component. • https://github.com/walskt/CVE/blob/main/CVE-2024-31032/README.md https://github.com/whgojp/cve-reports/blob/master/Huashi_Private_Cloud_CDN_Live_Streaming_Acceleration_Server_Has_RCE_Vulnerability/report.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-29640
https://notcve.org/view.php?id=CVE-2024-29640
An issue in aliyundrive-webdav v.2.3.3 and before allows a remote attacker to execute arbitrary code via a crafted payload to the sid parameter in the action_query_qrcode component. • http://aliyundrive-webdav.com https://github.com/lakemoon602/vuln/blob/main/detail.md https://github.com/messense/aliyundrive-webdav • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2047 – ElementsKit Elementor addons <= 3.0.6 - Authenticated (Contributor+) Local File Inclusion in render_raw
https://notcve.org/view.php?id=CVE-2024-2047
This makes it possible for authenticated attackers, with contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://plugins.trac.wordpress.org/browser/elementskit-lite/tags/3.0.5/widgets/testimonial/testimonial.php#L2458 https://plugins.trac.wordpress.org/changeset/3054091/elementskit-lite/tags/3.0.7/widgets/testimonial/testimonial.php https://www.wordfence.com/threat-intel/vulnerabilities/id/413e6326-14c6-4734-8adc-114a7842c574?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 3CVE-2024-2141 – Ultimate Addons for Beaver Builder – Lite <= 1.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via Button Widget
https://notcve.org/view.php?id=CVE-2024-2141
The Ultimate Addons for Beaver Builder – Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget in all versions up to, and including, 1.5.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. El complemento Ultimate Addons for Beaver Builder – Lite para WordPress es vulnerable a cross-site scripting almacenado a través del widget de botón en todas las versiones hasta la 1.5.7 incluida debido a una sanitización de entrada y un escape de salida insuficientes. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://github.com/DevAkabari/CVE-2024-21413 https://github.com/DerZiad/CVE-2024-21413 https://github.com/X-Projetion/CVE-2024-21413-Microsoft-Outlook-RCE-Exploit https://plugins.trac.wordpress.org/browser/ultimate-addons-for-beaver-builder-lite/trunk/modules/uabb-button/includes/frontend.php#L25 https://plugins.trac.wordpress.org/changeset? • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-29686
https://notcve.org/view.php?id=CVE-2024-29686
Server-side Template Injection (SSTI) vulnerability in Winter CMS v.1.2.3 allows a remote attacker to execute arbitrary code via a crafted payload to the CMS Pages field and Plugin components. • https://forum.ksec.co.uk/t/webapps-winter-cms-1-2-3-server-side-template-injection-ssti-authenticated/2779 https://wintercms.com/docs/v1.2/docs/cms/themes#template-structure https://www.exploit-db.com/exploits/51893 • CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page •