CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12272 – WP Travel Engine – Elementor Widgets | Create Travel Booking Website Using WordPress and Elementor <= 1.3.7 - Authenticated (Contributor+) Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-12272
This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. • https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3212458%40wte-elementor-widgets&new=3212458%40wte-elementor-widgets&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/be5142f6-36da-4715-91d2-7d6665c0efa6?source=cve • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56363 – APTRS has SSTI vulnerability
https://notcve.org/view.php?id=CVE-2024-56363
Specifically, when user input is improperly sanitized or validated, an attacker can inject Jinja2 syntax into the template, causing the server to execute arbitrary code. For example, an attacker might be able to inject expressions like {{ config }}, {{ self.class.mro[1].subclasses() }}, or more dangerous payloads that trigger execution of arbitrary Python code. ... If the input is rendered without sufficient sanitization, it results in the execution of malicious Jinja2 code on the server. • https://github.com/APTRS/APTRS/commit/9f6b6e4a56a9119eb12126a4909441e83b6d7c11 https://github.com/APTRS/APTRS/security/advisories/GHSA-h4w2-hvcg-938j • CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page •
CVSS: 7.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-12903 – Incorrect default permissions in Biamp Evoko Home
https://notcve.org/view.php?id=CVE-2024-12903
A non-admin user could exploit weak file and folder permissions to escalate privileges, execute arbitrary code and maintain persistence on the compromised machine. • https://www.incibe.es/en/incibe-cert/notices/aviso/incorrect-default-permissions-biamp-evoko-home • CWE-276: Incorrect Default Permissions •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-56334 – Command injection vulnerability in getWindowsIEEE8021x (SSID) function in systeminformation
https://notcve.org/view.php?id=CVE-2024-56334
This vulnerability may enable an attacker, depending on how the package is used, to perform remote code execution or local privilege escalation. • https://github.com/sebhildebrandt/systeminformation/commit/f7af0a67b78e7894335a6cad510566a25e06ae41 https://github.com/sebhildebrandt/systeminformation/security/advisories/GHSA-cvv5-9h9w-qp2m • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.4EPSS: 0%CPEs: 3EXPL: 0CVE-2024-56333 – Remote code execution in onyxia-api
https://notcve.org/view.php?id=CVE-2024-56333
This critical vulnerability allows authenticated users to remotely execute code within the Onyxia-API, leading to potential consequences such as unauthorized access to other user environments and denial of service attacks. • https://docs.onyxia.sh/vulnerability-disclosure/known-vulnerabilities/vulnerability-20241219 https://github.com/InseeFrLab/onyxia/security/advisories/GHSA-qmcw-h4f9-j3h3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •