CVE-2024-7093 – Server-Side Template Injection in Dispatch Message Templates
https://notcve.org/view.php?id=CVE-2024-7093
Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-41961 – Elektra vulnerable to remote code execution in universal search
https://notcve.org/view.php?id=CVE-2024-41961
A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. • https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02 https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-6923 – Email header injection due to unquoted newlines
https://notcve.org/view.php?id=CVE-2024-6923
There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. • https://github.com/python/cpython/issues/121650 https://github.com/python/cpython/pull/122233 https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7 https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0 https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147 https://github.com/python/cpython/commit/b158a76ce094897c870fb6b3de62887b7ccc33f1 https://github.com/python/cp • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-37900 – XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader
https://notcve.org/view.php?id=CVE-2024-37900
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user uploading the attachment. While this allows performing actions in the name of that user, it seems unlikely that a user wouldn't notice the malicious filename while uploading the attachment. • https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wf3x-jccf-5g5g https://github.com/xwiki/xwiki-platform/commit/6cdd69d31d6bf3caa7f40ec55eb317e4e528ad28 https://github.com/xwiki/xwiki-platform/commit/8b8a2d80529b9a9c038014c1eb6c2adc08069dfd https://github.com/xwiki/xwiki-platform/commit/910a5018a50039e8b24556573dfe342f143ef949 https://github.com/xwiki/xwiki-platform/commit/9df46f8e5313af46f93bccd1ebc682e28126573f https://jira.xwiki.org/browse/XWIKI-19602 https://jira.xwiki.org/browse/XWIKI-19611 https://jira.xwiki.org/browse& • CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') •
CVE-2024-37129
https://notcve.org/view.php?id=CVE-2024-37129
A local authenticated malicious user could potentially exploit this vulnerability, leading to arbitrary code execution on the system. • https://www.dell.com/support/kbdoc/en-us/000225779/dsa-2024-263 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •