CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10443
https://notcve.org/view.php?id=CVE-2024-10443
15 Nov 2024 — Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_18 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10728 – PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10728
15 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://github.com/RandomRobbieBF/CVE-2024-10728 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51141
https://notcve.org/view.php?id=CVE-2024-51141
15 Nov 2024 — An issue in TOTOLINK Bluetooth Wireless Adapter A600UB allows a local attacker to execute arbitrary code via the WifiAutoInstallDriver.exe and MSASN1.dll components. • https://infosecwriteups.com/dll-hijacking-in-totolink-a600ub-driver-installer-13787c4d97b4 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 8.8EPSS: 4%CPEs: -EXPL: 1CVE-2024-44625
https://notcve.org/view.php?id=CVE-2024-44625
15 Nov 2024 — Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. • https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-44758
https://notcve.org/view.php?id=CVE-2024-44758
15 Nov 2024 — An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. • https://github.com/WarmBrew/web_vul/blob/main/CVES/CVE-2024-44758.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-49592 – McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-49592
15 Nov 2024 — The issue only affects execution of this installer, and does not leave McAfee Total Protection in a vulnerable state after installation is completed. ... An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the McAfee Direct Stub Installer. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of an admi... • https://www.mcafee.com/support/s/article/000002516?language=en_US • CWE-427: Uncontrolled Search Path Element •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2024-8856 – Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8856
15 Nov 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. ... The vulnerability allows uploading a malicious PHP file to achieve remote code execution. • https://packetstorm.news/files/id/183146 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50648
https://notcve.org/view.php?id=CVE-2024-50648
15 Nov 2024 — yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files. • https://github.com/Yllxx03/CVE/blob/main/yshop_fileu_pload.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-50800
https://notcve.org/view.php?id=CVE-2024-50800
15 Nov 2024 — Cross Site Scripting vulnerability in M2000 Smart4Web before v.5.020241004 allows a remote attacker to execute arbitrary code via the error parameter in URL • https://github.com/Jellyfishxoxo/vulnerability-research/tree/main/CVE-2024-50800 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.3EPSS: 0%CPEs: -EXPL: 1CVE-2024-50986
https://notcve.org/view.php?id=CVE-2024-50986
15 Nov 2024 — An issue in Clementine v.1.3.1 allows a local attacker to execute arbitrary code via a crafted DLL file. • https://github.com/riftsandroses/CVE-2024-50986 • CWE-426: Untrusted Search Path •