CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49671 – WordPress AI Postpix plugin <= 1.1.8 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49671
This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/ai-postpix/wordpress-ai-postpix-plugin-1-1-8-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49676 – WordPress Custom Icons for Elementor plugin <= 0.3.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49676
This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/custom-icons-for-elementor/wordpress-custom-icons-for-elementor-plugin-0-3-3-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-10131 – Remote Code Execution in infiniflow/ragflow
https://notcve.org/view.php?id=CVE-2024-10131
The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input `req['llm_factory']` and `req['llm_name']` to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to potentially execute arbitrary code due to the lack of comprehensive input validation or sanitization. An attacker could provide a malicious value for 'llm_factory' that, when used as an index to these model dictionaries, results in the execution of arbitrary code. • https://huntr.com/bounties/42ae0b27-e851-4b58-a991-f691a437fbaa • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-37404
https://notcve.org/view.php?id=CVE-2024-37404
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49361 – Potential Vulnerability in ACON Library: Improper Input Validation Leading to Malicious Code Execution
https://notcve.org/view.php?id=CVE-2024-49361
A potential vulnerability has been identified in the input validation process, which could lead to arbitrary code execution if exploited. This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. • https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9 • CWE-20: Improper Input Validation •