CVE-2024-3562 – Custom Field Suite <= 2.6.7 - Authenticated (Contributor+) PHP Code Injection via Loop Custom Field
https://notcve.org/view.php?id=CVE-2024-3562
The Custom Field Suite plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 2.6.7 via the Loop custom field. • https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L192 https://github.com/mgibbs189/custom-field-suite/blob/963dfcede18ff4ad697498556d9058db07d74fa3/includes/fields/loop.php#L224 https://mgibbs189.github.io/custom-field-suite/field-types/loop.html https://www.wordfence.com/threat-intel/vulnerabilities/id/dfd7b788-03a0-41a4-96f2-cfca74ef281b?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2024-37124
https://notcve.org/view.php?id=CVE-2024-37124
Use of potentially dangerous function issue exists in Ricoh Streamline NX PC Client. If this vulnerability is exploited, an attacker may create an arbitrary file in the PC where the product is installed. Existe un problema de uso de funciones potencialmente peligrosas en Ricoh Streamline NX PC Client. Si se aprovecha esta vulnerabilidad, un atacante puede crear un archivo arbitrario en la PC donde está instalado el producto. • https://jvn.jp/en/jp/JVN00442488 https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2024-000006 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-36679
https://notcve.org/view.php?id=CVE-2024-36679
In the module "Module Live Chat Pro (All in One Messaging)" (livechatpro) <=8.4.0, a guest can perform PHP Code injection. • https://security.friendsofpresta.org/modules/2024/06/18/livechatpro.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-35767 – WordPress Squeeze plugin <= 1.4 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-35767
Unrestricted Upload of File with Dangerous Type vulnerability in Bogdan Bendziukov Squeeze allows Code Injection.This issue affects Squeeze: from n/a through 1.4. La carga sin restricciones de archivos con vulnerabilidad de tipo peligroso en Bogdan Bendziukov Squeeze permite la inyección de código. Este problema afecta a Squeeze: desde n/a hasta 1.4. The Squeeze plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 1.4. This makes it possible for authenticated attackers, with administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/squeeze/wordpress-squeeze-plugin-1-4-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-37821
https://notcve.org/view.php?id=CVE-2024-37821
An arbitrary file upload vulnerability in the Upload Template function of Dolibarr ERP CRM up to v19.0.1 allows attackers to execute arbitrary code via uploading a crafted .SQL file. Una vulnerabilidad de carga de archivos arbitrarios en la función Cargar plantilla de Dolibarr ERP CRM hasta v19.0.1 permite a los atacantes ejecutar código arbitrario cargando un archivo .SQL manipulado. • http://dolibarr.com https://github.com/alexbsec/CVEs/blob/master/2024/CVE-2024-37821.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •