CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-10728 – PostX <= 4.1.16 - Missing Authorization to Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10728
15 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to install and activate arbitrary plugins which can be leveraged to achieve remote code execution if another vulnerable plugin is installed and activated. • https://github.com/RandomRobbieBF/CVE-2024-10728 • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 3CVE-2024-8856 – Backup and Staging by WP Time Capsule <= 1.22.21 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-8856
15 Nov 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. ... The vulnerability allows uploading a malicious PHP file to achieve remote code execution. • https://packetstorm.news/files/id/183146 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 4%CPEs: -EXPL: 1CVE-2024-44625
https://notcve.org/view.php?id=CVE-2024-44625
15 Nov 2024 — Gogs <=0.13.0 is vulnerable to Directory Traversal via the editFilePost function of internal/route/repo/editor.go. • https://fysac.github.io/posts/2024/11/unpatched-remote-code-execution-in-gogs • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52427 – WordPress Event Tickets with Ticket Scanner plugin <= 2.3.11 - Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-52427
15 Nov 2024 — The Event Tickets with Ticket Scanner plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.3.11. This makes it possible for authenticated attackers, with author-level access and above, to execute code on the server. • https://patchstack.com/database/vulnerability/event-tickets-with-ticket-scanner/wordpress-event-tickets-with-ticket-scanner-plugin-2-3-11-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-52429 – WordPress WP Quick Setup plugin <= 2.0 - Arbitrary Plugin and Theme Installation to Remote Code Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-52429
15 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins and themes which can be leveraged to achieve remote code execution. • https://patchstack.com/database/vulnerability/wp-quick-setup/wordpress-wp-quick-setup-plugin-2-0-arbitrary-plugin-and-theme-installation-to-remote-code-execution-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52308 – Connecting to a malicious Codespaces via GH CLI could allow command execution on the user's computer
https://notcve.org/view.php?id=CVE-2024-52308
14 Nov 2024 — The GitHub CLI version 2.6.1 and earlier are vulnerable to remote code execution through a malicious codespace SSH server when using `gh codespace ssh` or `gh codespace logs` commands. ... Developers connect to remote codespaces through an SSH server running within the devcontainer, which is generally provided through the [default devcontainer image]( https://docs.github.com/en/codespaces/setting-up-your-project-for-codespaces/adding-a-dev-container-... • https://github.com/cli/cli/security/advisories/GHSA-p2h2-3vg9-4p87 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-10397
https://notcve.org/view.php?id=CVE-2024-10397
14 Nov 2024 — A malicious server can crash the OpenAFS cache manager and other client utilities, and possibly execute arbitrary code. A malicious server can crash the OpenAFS cache manager and other client utilities, and possibly execute arbitrary code. • https://openafs.org/pages/security/OPENAFS-SA-2024-003.txt • CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49362 – Remote Code Execution on click of <a> Link in markdown preview
https://notcve.org/view.php?id=CVE-2024-49362
14 Nov 2024 — Joplin-desktop has a vulnerability that leads to remote code execution (RCE) when a user clicks on an <a> link within untrusted notes. • https://github.com/laurent22/joplin/security/advisories/GHSA-hff8-hjwv-j9q7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2024-4343 – Python Command Injection in imartinez/privategpt
https://notcve.org/view.php?id=CVE-2024-4343
14 Nov 2024 — The vulnerability arises due to the use of the `eval()` function to parse a string received from a remote AWS SageMaker LLM endpoint into a dictionary. This method of parsing is unsafe as it can execute arbitrary Python code contained within the response. An attacker can exploit this vulnerability by manipulating the response from the AWS SageMaker LLM endpoint to include malicious Python code, leading to potential execution of arbitrary commands on the system hosting the applica... • https://github.com/imartinez/privategpt/commit/86368c61760c9cee5d977131d23ad2a3e063cbe9 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52524 – ReDoS in Giskard Scan text perturbation
https://notcve.org/view.php?id=CVE-2024-52524
14 Nov 2024 — A Remote Code Execution (ReDoS) vulnerability was discovered in Giskard component by the GitHub Security Lab team. • https://github.com/Giskard-AI/giskard/commit/48ce81f5c626171767188d6f0669498fb613b4d3 • CWE-1333: Inefficient Regular Expression Complexity •