CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12175 – Rockwell Automation Code Execution Vulnerability in Arena
https://notcve.org/view.php?id=CVE-2024-12175
Another “use after free” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12571 – Store Locator <= 3.98.10 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-12571
This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://plugins.trac.wordpress.org/browser/store-locator/trunk/sl-functions.php#L1919 https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea89a6e-e089-4e8d-afd8-2a217f6910a6?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-54790
https://notcve.org/view.php?id=CVE-2024-54790
A SQL Injection vulnerability was found in /index.php in PHPGurukul Pre-School Enrollment System v1.0, which allows remote attackers to execute arbitrary code via the visittime parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Pre-School%20Enrollment/SQL%20Injection%20pr-school%20i.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-55081
https://notcve.org/view.php?id=CVE-2024-55081
An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. • https://gist.github.com/summerxxoo/18b3ccc91aacd606aa4d48a02029e9e7 https://github.com/summerxxoo/VulnPoc/blob/main/chat2DB_XXE.md •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11364 – Rockwell Automation Third Party Vulnerability in Arena®
https://notcve.org/view.php?id=CVE-2024-11364
Another “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html •