CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49361 – Potential Vulnerability in ACON Library: Improper Input Validation Leading to Malicious Code Execution
https://notcve.org/view.php?id=CVE-2024-49361
A potential vulnerability has been identified in the input validation process, which could lead to arbitrary code execution if exploited. This issue could allow an attacker to submit malicious input data, bypassing input validation, resulting in remote code execution in certain machine learning applications using the ACON library. • https://github.com/torinriley/ACON/security/advisories/GHSA-345g-6rmp-3cv9 • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-47487
https://notcve.org/view.php?id=CVE-2024-47487
There is a SQL injection vulnerability in some HikCentral Professional versions. This could allow an authenticated user to execute arbitrary SQL queries. • https://www.hikvision.com/en/support/cybersecurity/security-advisory/security-vulnerabilities-in-hikcentral-product-series •
CVSS: 9.9EPSS: 0%CPEs: 6EXPL: 6CVE-2024-9264 – Grafana SQL Expressions allow for remote code execution
https://notcve.org/view.php?id=CVE-2024-9264
The SQL Expressions experimental feature of Grafana allows for the evaluation of `duckdb` queries containing user input. These queries are insufficiently sanitized before being passed to `duckdb`, leading to a command injection and local file inclusion vulnerability. Any user with the VIEWER or higher permission is capable of executing this attack. The `duckdb` binary must be present in Grafana's $PATH for this attack to function; by default, this binary is not installed in Grafana distributions. • https://github.com/z3k0sec/CVE-2024-9264-RCE-Exploit https://github.com/nollium/CVE-2024-9264 https://github.com/z3k0sec/File-Read-CVE-2024-9264 https://github.com/zgimszhd61/CVE-2024-9264 https://github.com/zgimszhd61/CVE-2024-9264-RCE https://github.com/PunitTailor55/Grafana-CVE-2024-9264 https://grafana.com/security/security-advisories/cve-2024-9264 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49624 – WordPress Advanced Advertising System plugin <= 1.3.1 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-49624
If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/vulnerability/advanced-advertising-system/wordpress-advanced-advertising-system-plugin-1-3-1-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49625 – WordPress SiteBuilder Dynamic Components plugin <= 1.0 - PHP Object Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-49625
If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. • https://patchstack.com/database/vulnerability/sitebuilder-dynamic-components/wordpress-sitebuilder-dynamic-components-plugin-1-0-php-object-injection-vulnerability?_s_id=cve • CWE-502: Deserialization of Untrusted Data •