CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2024-6715 – Ditty 3.1.39-3.1.45 - Author+ Stored XSS
https://notcve.org/view.php?id=CVE-2024-6715
The Ditty WordPress plugin before 3.1.46 re-introduced a previously fixed security issue (https://wpscan.com/vulnerability/80a9eb3a-2cb1-4844-9004-ba2554b2d46c/) in v3.1.39 The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Content Title' field in versions 3.1.39 to 3.1.45 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This was previously patched as CVE-2024-3939 and was recently reintroduced. • https://wpscan.com/vulnerability/19406acc-3441-4d4a-9163-ace8f1dceb78 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41956 – Soft Serve allows arbitrary code execution by crafting git-lfs requests
https://notcve.org/view.php?id=CVE-2024-41956
Soft Serve is a self-hostable Git server for the command line. Prior to 0.7.5, it is possible for a user who can commit files to a repository hosted by Soft Serve to execute arbitrary code via environment manipulation and Git. The issue is that Soft Serve passes all environment variables given by the client to git subprocesses. This includes environment variables that control program execution, such as LD_PRELOAD. This vulnerability is fixed in 0.7.5. • https://github.com/charmbracelet/soft-serve/commit/4daebdd422a6ba8c04162d023f8be355a8fe3184 https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-m445-w3xr-vp2f • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-7093 – Server-Side Template Injection in Dispatch Message Templates
https://notcve.org/view.php?id=CVE-2024-7093
Dispatch's notification service uses Jinja templates to generate messages to users. Jinja permits code execution within blocks, which were neither properly sanitized nor sandboxed. This vulnerability enables users to construct command line scripts in their custom message templates, which are then executed whenever these notifications are rendered and sent out. • https://github.com/Netflix/security-bulletins/blob/master/advisories/nflx-2024-003.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41961 – Elektra vulnerable to remote code execution in universal search
https://notcve.org/view.php?id=CVE-2024-41961
A code injection vulnerability was found in the live search functionality of the Ruby on Rails based Elektra web application. • https://github.com/sapcc/elektra/commit/49aea3b365082681558bf3bf7bf4a51766cfc44d https://github.com/sapcc/elektra/commit/8bce00be93b95a6512ff68fe86bf9554e486bc02 https://github.com/sapcc/elektra/security/advisories/GHSA-6j2h-486h-487q • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-6923 – Email header injection due to unquoted newlines
https://notcve.org/view.php?id=CVE-2024-6923
There is a MEDIUM severity vulnerability affecting CPython. The email module didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. A vulnerability was found in the email module that uses Python language. The email module doesn't properly quote new lines in email headers. This flaw allows an attacker to inject email headers that could, among other possibilities, add hidden email destinations or inject content into the email, impacting data confidentiality and integrity. • https://github.com/python/cpython/issues/121650 https://github.com/python/cpython/pull/122233 https://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW https://github.com/python/cpython/commit/4766d1200fdf8b6728137aa2927a297e224d5fa7 https://github.com/python/cpython/commit/4aaa4259b5a6e664b7316a4d60bdec7ee0f124d0 https://github.com/python/cpython/commit/06f28dc236708f72871c64d4bc4b4ea144c50147 https://github.com/python/cpython/commit/b158a76ce094897c870fb6b3de62887b7ccc33f1 https://github.com/python/cp • CWE-94: Improper Control of Generation of Code ('Code Injection') •