CVSS: 9.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-38395
https://notcve.org/view.php?id=CVE-2024-38395
In iTerm2 before 3.5.2, the "Terminal may report window title" setting is not honored, and thus remote code execution might occur but "is not trivially exploitable." En iTerm2 anterior a 3.5.2, la configuración "La terminal puede informar el título de la ventana" no se respeta y, por lo tanto, puede ocurrir la ejecución remota de código, pero "no es trivialmente explotable". • https://github.com/vin01/poc-cve-2024-38396 http://www.openwall.com/lists/oss-security/2024/06/17/1 https://gitlab.com/gnachman/iterm2/-/commit/f1e89f78dd72dcac3ba66d3d6f93db3f7f649219 https://gitlab.com/gnachman/iterm2/-/tags/v3.5.2 https://iterm2.com/downloads.html https://www.openwall.com/lists/oss-security/2024/06/15/1 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-38458 – Xenforo 2.2.15 Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-38458
Xenforo before 2.2.16 allows code injection. • https://xenforo.com/community/threads/xenforo-2-1-15-patch-1-2-2-16-patch-2-and-xenforo-media-gallery-2-1-9-2-2-6-released-includes-security-fixes.222133 http://seclists.org/fulldisclosure/2024/Jul/12 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1CVE-2024-3105 – Woody code snippets – Insert Header Footer Code, AdSense Ads <= 2.5.0 -Authenticated (Contributor+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-3105
The Woody code snippets – Insert Header Footer Code, AdSense Ads plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.5.0 via the 'insert_php' shortcode. This is due to the plugin not restricting the usage of the functionality to high level authorized users. This makes it possible for authenticated attackers, with contributor-level access and above, to execute code on the server. El complemento Woody code snippets – Insert Header Footer Code, AdSense Ads para WordPress es vulnerable a la ejecución remota de código en todas las versiones hasta la 2.5.0 incluida a través del código corto 'insert_php'. Esto se debe a que el complemento no restringe el uso de la funcionalidad a usuarios autorizados de alto nivel. • https://github.com/hunThubSpace/CVE-2024-3105-PoC https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/class.plugin.php#L166 https://plugins.trac.wordpress.org/browser/insert-php/trunk/includes/shortcodes/shortcode-insert-php.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3102522%40insert-php&new=3102522%40insert-php&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/134ad095-b0a0-4f0f-832d-3e558d4a250a?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 3.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37885 – Code injection in Nextcloud Desktop Client for macOS
https://notcve.org/view.php?id=CVE-2024-37885
A code injection in Nextcloud Desktop Client for macOS allowed to load arbitrary code when starting the client with DYLD_INSERT_LIBRARIES set in the enviroment. • https://github.com/nextcloud/desktop/pull/6378 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-4mf7-v63m-99p7 https://hackerone.com/reports/2307625 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-5671
https://notcve.org/view.php?id=CVE-2024-5671
Insecure Deserialization in some workflows of the IPS Manager allows unauthenticated remote attackers to perform arbitrary code execution and access to the vulnerable Trellix IPS Manager. • https://thrive.trellix.com/s/article/000013623 • CWE-502: Deserialization of Untrusted Data •