CVE-2024-39424 – ZDI-CAN-24309: Adobe Acrobat Reader DC Annotation Use-After-Free Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-39424
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. • https://helpx.adobe.com/security/products/acrobat/apsb24-57.html • CWE-416: Use After Free •
CVE-2024-6823 – Media Library Assistant <= 3.18 - Authenticated (Author+) Arbitrary File Upload via mla-inline-edit-upload-scripts AJAX Action
https://notcve.org/view.php?id=CVE-2024-6823
This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/media-library-assistant/trunk/includes/class-mla-settings.php#L32 https://plugins.trac.wordpress.org/changeset/3133909 https://wordpress.org/plugins/media-library-assistant/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/9a446fe7-c97a-436e-b494-b924e6518297?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-42489 – Pro Macros Remote Code Execution via Viewpdf and similar macros
https://notcve.org/view.php?id=CVE-2024-42489
Missing escaping in the Viewpdf macro allows any user with view right on the `CKEditor.HTMLConverter` page or edit or comment right on any page to perform remote code execution. • https://github.com/xwikisas/xwiki-pro-macros/blob/main/xwiki-pro-macros-ui/src/main/resources/Confluence/Macros/Viewpdf.xml#L265-L267 https://github.com/xwikisas/xwiki-pro-macros/commit/199553c84901999481a20614f093af2d57970eba https://github.com/xwikisas/xwiki-pro-macros/security/advisories/GHSA-cfq3-q227-7j65 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2024-6917 – RCE in Veribilim Software's Veribase Order Management
https://notcve.org/view.php?id=CVE-2024-6917
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Veribilim Software Veribase Order Management allows OS Command Injection.This issue affects Veribase Order Management: before v4.010.2. • https://www.usom.gov.tr/bildirim/tr-24-1105 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-38530 – Open eClass Platform allows Arbitrary File Upload in "modules/h5p/save.php"
https://notcve.org/view.php?id=CVE-2024-38530
This may lead in unrestricted RCE on the backend server, since the upload location is accessible from the internet. • https://github.com/gunet/openeclass/commit/4449cf8bed40fd8fc4b267a5726fab9f9fe5a191 https://github.com/gunet/openeclass/security/advisories/GHSA-88c3-hp7p-grgg • CWE-434: Unrestricted Upload of File with Dangerous Type •