CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 2CVE-2024-56145 – RCE when PHP `register_argc_argv` config setting is enabled in craftcms/cms
https://notcve.org/view.php?id=CVE-2024-56145
18 Dec 2024 — For these users an unspecified remote code execution vector is present. ... For these users an unspecified remote code execution vector is present. • https://github.com/Sachinart/CVE-2024-56145-craftcms-rce • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-12741 – Deserialization Of Untrusted Data Vulnerability In NI DAAQAExpress Project File
https://notcve.org/view.php?id=CVE-2024-12741
18 Dec 2024 — A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. ... A deserialization of untrusted data vulnerability exists in NI DAQExpress that may result in remote code execution. • https://knowledge.ni.com/KnowledgeArticleDetails?id=kA00Z000000kFD7SAM&l=en-US • CWE-502: Deserialization of Untrusted Data •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-55952 – Dataease Redshift Data Source JDBC Connection Parameters Not Verified Leads to RCE Vulnerability
https://notcve.org/view.php?id=CVE-2024-55952
18 Dec 2024 — Authenticated users can remotely execute code through the backend JDBC connection. • https://github.com/dataease/dataease/commit/0db4872a52eccf6e83dd9359aa05db52dd580ec1 • CWE-20: Improper Input Validation •
CVSS: 8.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-56051 – WordPress WPLMS plugin < 1.9.9.5 - Student+ Remote Code Execution (RCE) vulnerability
https://notcve.org/view.php?id=CVE-2024-56051
18 Dec 2024 — Improper Control of Generation of Code ('Code Injection') vulnerability in VibeThemes WPLMS allows Code Injection.This issue affects WPLMS: from n/a before 1.9.9.5. • https://patchstack.com/database/wordpress/plugin/wplms-plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-student-remote-code-execution-rce-vulnerability?_s_id=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 14EXPL: 0CVE-2024-12372 – Rockwell Automation PowerMonitor™ 1000 Denial of Service
https://notcve.org/view.php?id=CVE-2024-12372
18 Dec 2024 — A denial-of-service and possible remote code execution vulnerability exists in the Rockwell Automation Power Monitor 1000. The vulnerability results in corruption of the heap memory which may compromise the integrity of the system, potentially allowing for remote code execution or a denial-of-service attack. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1714.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: 14EXPL: 0CVE-2024-12371 – Rockwell Automation PowerMonitor™ 1000 Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-12371
18 Dec 2024 — A device takeover vulnerability exists in the Rockwell Automation Power Monitor 1000. This vulnerability allows configuration of a new Policyholder user without any authentication via API. Policyholder user is the most privileged user that can perform edit operations, creating admin users and performing factory reset. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1714.html • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.2EPSS: 0%CPEs: 5EXPL: 0CVE-2024-48889
https://notcve.org/view.php?id=CVE-2024-48889
18 Dec 2024 — An Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability [CWE-78] in FortiManager version 7.6.0, version 7.4.4 and below, version 7.2.7 and below, version 7.0.12 and below, version 6.4.14 and below and FortiManager Cloud version 7.4.4 and below, version 7.2.7 to 7.2.1, version 7.0.12 to 7.0.1 may allow an authenticated remote attacker to execute unauthorized code via FGFM crafted requests. • https://fortiguard.fortinet.com/psirt/FG-IR-24-425 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-21546
https://notcve.org/view.php?id=CVE-2024-21546
18 Dec 2024 — Versions of the package unisharp/laravel-filemanager before 2.9.1 are vulnerable to Remote Code Execution (RCE) through using a valid mimetype and inserting the . character after the php file extension. This allows the attacker to execute malicious code. • https://gist.github.com/ImHades101/338a06816ef97262ba632af9c78b78ca • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12626 – AutomatorWP <= 5.0.9 - Reflected Cross-Site Scripting via a-0-o-search_field_value
https://notcve.org/view.php?id=CVE-2024-12626
18 Dec 2024 — The AutomatorWP – Automator plugin for no-code automations, webhooks & custom integrations in WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘a-0-o-search_field_value’ parameter in all versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such ... • https://plugins.trac.wordpress.org/changeset/3209794/automatorwp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-55506
https://notcve.org/view.php?id=CVE-2024-55506
18 Dec 2024 — An IDOR vulnerability in CodeAstro's Complaint Management System v1.0 (version with 0 updates) enables an attacker to execute arbitrary code and obtain sensitive information via the delete.php file and modifying the id parameter. • https://github.com/CV1523/CVEs/blob/main/CVE-2024-55506.md • CWE-639: Authorization Bypass Through User-Controlled Key •