CVE-2024-34102 – Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
https://notcve.org/view.php?id=CVE-2024-34102
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. • https://github.com/bigb0x/CVE-2024-34102 https://github.com/11whoami99/CVE-2024-34102 https://github.com/unknownzerobit/poc https://github.com/d0rb/CVE-2024-34102 https://github.com/bughuntar/CVE-2024-34102 https://github.com/bughuntar/CVE-2024-34102-Python https://github.com/Chocapikk/CVE-2024-34102 https://github.com/th3gokul/CVE-2024-34102 https://github.com/0x0d3ad/CVE-2024-34102 https://github.com/jakabakos/CVE-2024-34102-CosmicSting-XXE-in-Adobe-Commerce-and-Magento • CWE-611: Improper Restriction of XML External Entity Reference •
CVE-2024-34108 – Large attack surface through legit webhook usage in Adobe Commerce
https://notcve.org/view.php?id=CVE-2024-34108
Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. ... La explotación de este problema no requiere la interacción del usuario, pero se requieren privilegios de administrador Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Input Validation vulnerability that could result in arbitrary code execution in the context of the current user. • https://helpx.adobe.com/security/products/magento/apsb24-40.html • CWE-20: Improper Input Validation •
CVE-2024-37849
https://notcve.org/view.php?id=CVE-2024-37849
A SQL Injection vulnerability in itsourcecode Billing System 1.0 allows a local attacker to execute arbitrary code in process.php via the username parameter. Una vulnerabilidad de inyección SQL en itsourcecode Billing System 1.0 permite a un atacante local ejecutar código arbitrario en Process.php a través del parámetro de nombre de usuario. • https://github.com/ganzhi-qcy/cve/issues/3 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2024-28964
https://notcve.org/view.php?id=CVE-2024-28964
A local unauthenticated attacker could potentially exploit this vulnerability, leading to arbitrary code execution in the context of the logged in user. • https://www.dell.com/support/kbdoc/en-us/000224987/dsa-2024-179-security-update-for-dell-emc-common-event-enabler-windows-for-cavatools-vulnerabilities • CWE-502: Deserialization of Untrusted Data •
CVE-2024-1577 – Remote Code Execution in MegaBIP
https://notcve.org/view.php?id=CVE-2024-1577
Remote Code Execution vulnerability in MegaBIP software allows to execute arbitrary code on the server without requiring authentication by saving crafted by the attacker PHP code to one of the website files. This issue affects MegaBIP software versions through 5.11.2. La vulnerabilidad de ejecución remota de código en el software MegaBIP permite ejecutar código arbitrario en el servidor sin requerir autenticación al guardar el código PHP creado por el atacante en uno de los archivos del sitio web. Este problema afecta a todas las versiones del software MegaBIP. • https://cert.pl/en/posts/2024/06/CVE-2024-1576 https://cert.pl/posts/2024/06/CVE-2024-1576 https://megabip.pl https://www.gov.pl/web/cyfryzacja/rekomendacja-pelnomocnika-rzadu-ds-cyberbezpieczenstwa-dotyczaca-biuletynow-informacji-publicznej • CWE-94: Improper Control of Generation of Code ('Code Injection') •