CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5683 – Remote Code Execution in Next4Biz's BPM
https://notcve.org/view.php?id=CVE-2024-5683
Improper Control of Generation of Code ('Code Injection') vulnerability in Next4Biz CRM & BPM Software Business Process Manangement (BPM) allows Remote Code Inclusion.This issue affects Business Process Manangement (BPM): from 6.6.4.4 before 6.6.4.5. • https://www.usom.gov.tr/bildirim/tr-24-0739 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.9EPSS: 0%CPEs: -EXPL: 0CVE-2024-24551 – Bludit - Remote Code Execution (RCE) through Image API
https://notcve.org/view.php?id=CVE-2024-24551
A security vulnerability has been identified in Bludit, allowing authenticated attackers to execute arbitrary code through the Image API. This vulnerability arises from improper handling of file uploads, enabling malicious actors to upload and execute PHP files. Se ha identificado una vulnerabilidad de seguridad en Bludit, que permite a atacantes autenticados ejecutar código arbitrario a través de Image API. Esta vulnerabilidad surge del manejo inadecuado de la carga de archivos, lo que permite a actores malintencionados cargar y ejecutar archivos PHP. • https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24550 – Bludit - Remote Code Execution (RCE) through File API
https://notcve.org/view.php?id=CVE-2024-24550
A security vulnerability has been identified in Bludit, allowing attackers with knowledge of the API token to upload arbitrary files through the File API which leads to arbitrary code execution on the server. • https://www.redguard.ch/blog/2024/06/20/security-advisory-bludit • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type CWE-502: Deserialization of Untrusted Data •
CVSS: 6.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-3121 – Remote Code Execution in create_conda_env function in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-3121
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands. Existe una vulnerabilidad de ejecución remota de código en la función create_conda_env del repositorio parisneo/lollms, versión 5.9.0. La vulnerabilidad surge del uso de shell=True en la función subprocess.Popen, que permite a un atacante inyectar comandos arbitrarios manipulando los parámetros env_name y python_version. • https://github.com/Abo5/CVE-2024-31210 https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 0CVE-2023-50029
https://notcve.org/view.php?id=CVE-2023-50029
PHP Injection vulnerability in the module "M4 PDF Extensions" (m4pdf) up to version 3.3.2 from PrestaAddons for PrestaShop allows attackers to run arbitrary code via the M4PDF::saveTemplate() method. Vulnerabilidad de inyección de PHP en el módulo "M4 PDF Extensions" (m4pdf) hasta la versión 3.3.2 de PrestaAddons para PrestaShop permite a los atacantes ejecutar código de su elección a través del método M4PDF::saveTemplate(). • https://security.friendsofpresta.org/modules/2024/06/20/m4pdf.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •