Page 90 of 8799 results (0.131 seconds)

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

On versions before 2.1.4, a user could log in and perform a template injection attack resulting in Remote Code Execution on the server, The attacker must successfully log into the system to launch an attack, so this is a moderate-impact vulnerability. Mitigation: all users should upgrade to 2.1.4 En versiones anteriores a la 2.1.4, un usuario podía iniciar sesión y realizar un ataque de inyección de plantilla que generaba una ejecución remota de código en el servidor. El atacante debía iniciar sesión correctamente en el sistema para lanzar un ataque, por lo que se trata de una vulnerabilidad de impacto moderado. Mitigación: todos los usuarios deben actualizar a 2.1.4 • http://www.openwall.com/lists/oss-security/2024/07/18/1 https://lists.apache.org/thread/n6dhnl68knpxy80t35qxkkw2691l8sfn • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0

Vulnerability in SonicWall SMA100 NetExtender Windows (32 and 64-bit) client 10.2.339 and earlier versions allows an attacker to arbitrary code execution when processing an EPC Client update. • https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2024-0011 • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Apache Airflow 2.4.0, and versions before 2.9.3, has a vulnerability that allows authenticated DAG authors to craft a doc_md parameter in a way that could execute arbitrary code in the scheduler context, which should be forbidden according to the Airflow Security model. Users should upgrade to version 2.9.3 or later which has removed the vulnerability. Apache Airflow 2.4.0 y versiones anteriores a 2.9.3 tienen una vulnerabilidad que permite a los autores de DAG autenticados crear un parámetro doc_md de manera que pueda ejecutar código arbitrario en el contexto del programador, lo que debería estar prohibido según el modelo de seguridad de Airflow. Los usuarios deben actualizar a la versión 2.9.3 o posterior, que eliminó la vulnerabilidad. • https://github.com/apache/airflow/pull/40522 https://lists.apache.org/thread/1xhj9dkp37d6pzn24ll2mf94wbqnb2y1 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-277: Insecure Inherited Permissions •

CVSS: 8.0EPSS: 0%CPEs: -EXPL: 0

A Server-Side Template Injection (SSTI) vulnerability in the edit theme function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload. Una vulnerabilidad de Server-Side Template Injection (SSTI) en la función de edición de tema del proyecto openCart v4.0.2.3 permite a los atacantes ejecutar código arbitrario mediante la inyección de un payload manipulado. • https://github.com/A3h1nt/CVEs/blob/main/OpenCart/Readme.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •

CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 1

JupyterLab extension template is a `copier` template for JupyterLab extensions. Repositories created using this template with `test` option include `update-integration-tests.yml` workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to the latest version. Users who made changes to `update-integration-tests.yml`, accept overwriting of this file and re-apply your changes later. Users may wish to temporarily disable GitHub Actions while working on the upgrade. • https://github.com/LOURC0D3/CVE-2024-39700-PoC https://github.com/jupyterlab/extension-template/commit/035e78c1c65bcedee97c95bb683abe59c96bc4e6 https://github.com/jupyterlab/extension-template/security/advisories/GHSA-45gq-v5wm-82wg • CWE-94: Improper Control of Generation of Code ('Code Injection') •