CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9849 – 3D FlipBook, PDF Viewer, PDF Embedder – Real 3D FlipBook WordPress Plugin <= 4.6 - Authenticated (Author+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-9849
15 Nov 2024 — This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. ... This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/real3d-flipbook-lite/tags/4.6/includes/plugin-admin.php#L77 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-10443
https://notcve.org/view.php?id=CVE-2024-10443
15 Nov 2024 — Improper neutralization of special elements used in a command ('Command Injection') vulnerability in Task Manager component in Synology BeePhotos before 1.0.2-10026 and 1.1.0-10053 and Synology Photos before 1.6.2-0720 and 1.7.0-0795 allows remote attackers to execute arbitrary code via unspecified vectors. • https://www.synology.com/en-global/security/advisory/Synology_SA_24_18 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-24450
https://notcve.org/view.php?id=CVE-2024-24450
15 Nov 2024 — Stack-based memcpy buffer overflow in the ngap_handle_pdu_session_resource_setup_response routine in OpenAirInterface CN5G AMF <= 2.0.0 allows a remote attacker with access to the N2 interface to carry out denial of service against the AMF and potentially execute code by sending a PDU Session Resource Setup Response with a suffciently large FailedToSetupList IE. • https://cellularsecurity.org/ransacked • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10728 – PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10728
15 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://github.com/RandomRobbieBF/CVE-2024-10728 • CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51141
https://notcve.org/view.php?id=CVE-2024-51141
15 Nov 2024 — An issue in TOTOLINK Bluetooth Wireless Adapter A600UB allows a local attacker to execute arbitrary code via the WifiAutoInstallDriver.exe and MSASN1.dll components. • https://infosecwriteups.com/dll-hijacking-in-totolink-a600ub-driver-installer-13787c4d97b4 • CWE-354: Improper Validation of Integrity Check Value •
CVSS: 8.8EPSS: 4%CPEs: -EXPL: 1CVE-2024-44625
https://notcve.org/view.php?id=CVE-2024-44625
15 Nov 2024 — Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. • https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-44758
https://notcve.org/view.php?id=CVE-2024-44758
15 Nov 2024 — An arbitrary file upload vulnerability in the component /Production/UploadFile of NUS-M9 ERP Management Software v3.0.0 allows attackers to execute arbitrary code via uploading crafted files. • https://github.com/WarmBrew/web_vul/blob/main/CVES/CVE-2024-44758.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-49592 – McAfee Total Protection Uncontrolled Search Path Element Local Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-49592
15 Nov 2024 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the McAfee Direct Stub Installer. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of an administrator. • https://www.mcafee.com/support/s/article/000002516?language=en_US • CWE-427: Uncontrolled Search Path Element •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2024-8856 – Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8856
15 Nov 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. ... The vulnerability allows uploading a malicious PHP file to achieve remote code execution. • https://packetstorm.news/files/id/183146 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50648
https://notcve.org/view.php?id=CVE-2024-50648
15 Nov 2024 — yshopmall V1.0 has an arbitrary file upload vulnerability, which can enable RCE or even take over the server when improperly configured to parse JSP files. • https://github.com/Yllxx03/CVE/blob/main/yshop_fileu_pload.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •