CVSS: 4.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-30370 – RARLAB WinRAR Mark-Of-The-Web Bypass Vulnerability
https://notcve.org/view.php?id=CVE-2024-30370
This vulnerability allows remote attackers to bypass the Mark-Of-The-Web protection mechanism on affected installations of RARLAB WinRAR. ... An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current user. ... This vulnerability allows remote attackers to bypass the Mark-Of-The-Web protection mechanism on affected installations of RARLAB WinRAR. ... An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current user. • https://www.rarlab.com/rarnew.htm#27.%20Busgs%20fixed https://www.zerodayinitiative.com/advisories/ZDI-24-357 • CWE-693: Protection Mechanism Failure •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41724
https://notcve.org/view.php?id=CVE-2023-41724
A command injection vulnerability in Ivanti Sentry prior to 9.19.0 allows unauthenticated threat actor to execute arbitrary commands on the underlying operating system of the appliance within the same physical or logical network. • https://forums.ivanti.com/s/article/CVE-2023-41724-Remote-Code-Execution-for-Ivanti-Standalone-Sentry • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-1522 – Cross-Site Request Forgery (CSRF) Leading to Remote Code Execution in parisneo/lollms-webui
https://notcve.org/view.php?id=CVE-2024-1522
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. • https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 3CVE-2024-3085 – PHPGurukul Emergency Ambulance Hiring Portal Admin Login Page login.php sql injection
https://notcve.org/view.php?id=CVE-2024-3085
The manipulation of the argument username leads to sql injection. ... Mit der Manipulation des Arguments username mit unbekannten Daten kann eine sql injection-Schwachstelle ausgenutzt werden. • https://github.com/chebuya/CVE-2024-30850-chaos-rat-rce-poc https://github.com/chebuya/CVE-2024-30851-jasmin-ransomware-path-traversal-poc https://github.com/dhabaleshwar/Open-Source-Vulnerabilities/blob/main/eahp_sqli.md https://vuldb.com/? • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-29890 – Remote code execution in datalens-ui
https://notcve.org/view.php?id=CVE-2024-29890
A specifically crafted request allowed the creation of a special chart type with the ability to pass custom javascript code that would later be executed in an unprotected sandbox on subsequent requests to that chart. • https://github.com/datalens-tech/datalens/security/advisories/GHSA-6278-2wvc-4p93 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •