CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0CVE-2024-42365 – Asterisk allows `Write=originate` as sufficient permissions for code execution / `System()` dialplan
https://notcve.org/view.php?id=CVE-2024-42365
This issue may result in privilege escalation, remote code execution and/or blind server-side request forgery with arbitrary protocol. • https://github.com/asterisk/asterisk/blob/14367caaf7241df1eceea7c45c5b261989c2c6db/main/manager.c#L6426 https://github.com/asterisk/asterisk/blob/7d28165cb1b2d02d66e8693bd3fe23ee72fc55d8/main/manager.c#L6426 https://github.com/asterisk/asterisk/commit/42a2f4ccfa2c7062a15063e765916b3332e34cc4 https://github.com/asterisk/asterisk/commit/7a0090325bfa9d778a39ae5f7d0a98109e4651c8 https://github.com/asterisk/asterisk/commit/b4063bf756272254b160b6d1bd6e9a3f8e16cc71 https://github.com/asterisk/asterisk/commit/bbe68db10ab8a80c29db383e4dfe14f6eafaf993 https://github.com/asterisk/asterisk • CWE-267: Privilege Defined With Unsafe Actions CWE-1220: Insufficient Granularity of Access Control •
CVSS: 9.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7490 – Remote Code Execution in Advanced Software Framework DHCP server
https://notcve.org/view.php?id=CVE-2024-7490
Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow. This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option. This issue affects Advanced Software Framework: through 3.52.0.2574. ASF is no longer being supported. • https://www.microchip.com/en-us/tools-resources/develop/libraries/advanced-software-framework • CWE-20: Improper Input Validation CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 6.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-40484
https://notcve.org/view.php?id=CVE-2024-40484
A Reflected Cross Site Scripting (XSS) vulnerability was found in "/oahms/search.php" in PHPGurukul Old Age Home Management System v1.0, which allows remote attackers to execute arbitrary code via the "searchdata" parameter. • https://github.com/takekaramey/CVE_Writeup/blob/main/PHPGurukul/Old%20Age%20Home%20Mgmt%20System%20v1.0/Reflected%20XSS.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-40482
https://notcve.org/view.php?id=CVE-2024-40482
An Unrestricted file upload vulnerability was found in "/Membership/edit_member.php" of Kashipara Live Membership System v1.0, which allows attackers to execute arbitrary code via uploading a crafted PHP file. • https://github.com/takekaramey/CVE_Writeup/blob/main/Kashipara/Live%20Membership%20System%20v1.0/Unrestricted%20File%20Upload.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: -EXPL: 0CVE-2024-40473
https://notcve.org/view.php?id=CVE-2024-40473
It allows remote attackers to execute arbitrary code via "House_no" and "Description" parameter fields. • https://github.com/takekaramey/CVE_Writeup/blob/main/Sourcecodester/Best%20House%20Rental%20Management%20System%20v1.0/Stored%20XSS.pdf https://www.sourcecodester.com/php/17375/best-courier-management-system-project-php.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •