CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49676 – WordPress Custom Icons for Elementor plugin <= 0.3.3 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-49676
The Custom Icons for Elementor plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 0.3.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/custom-icons-for-elementor/wordpress-custom-icons-for-elementor-plugin-0-3-3-arbitrary-file-upload-vulnerability? • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-10131 – Remote Code Execution in infiniflow/ragflow
https://notcve.org/view.php?id=CVE-2024-10131
The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input `req['llm_factory']` and `req['llm_name']` to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to potentially execute arbitrary code due to the lack of comprehensive input validation or sanitization. An attacker could provide a malicious value for 'llm_factory' that, when used as an index to these model dictionaries, results in the execution of arbitrary code. • https://huntr.com/bounties/42ae0b27-e851-4b58-a991-f691a437fbaa • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-37404
https://notcve.org/view.php?id=CVE-2024-37404
Improper Input Validation in the admin portal of Ivanti Connect Secure before 22.7R2.1 and 9.1R18.9, or Ivanti Policy Secure before 22.7R1.1 allows a remote authenticated attacker to achieve remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-and-Policy-Secure-CVE-2024-37404 •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49361 – Potential Vulnerability in ACON Library: Improper Input Validation Leading to Malicious Code Execution
https://notcve.org/view.php?id=CVE-2024-49361
A potential vulnerability has been identified in the input validation process, which could lead to arbitrary code execution if exploited. This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. • https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9 • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 6CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. • https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit https://github.com/nollium/CVE-2024-9264 https://github.com/z3k0sec/File-Read-CVE-2024-9264 https://github.com/zgimszhd61/CVE-2024-9264 https://github.com/zgimszhd61/CVE-2024-9264-RCE https://github.com/PunitTailor55/Grafana-CVE-2024-9264 https://grafana.com/security/security-advisories/cve-2024-9264 • CWE-94: Improper Control of Generation of Code ('Code Injection') •