CVE-2024-6581 – Remote Code Execution due to Stored XSS in parisneo/lollms
https://notcve.org/view.php?id=CVE-2024-6581
Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. • https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-6868 – Arbitrary File Write in mudler/LocalAI
https://notcve.org/view.php?id=CVE-2024-6868
This vulnerability can lead to remote code execution (RCE) by overwriting backend assets used by the server. • https://github.com/mudler/localai/commit/a181dd0ebc5d3092fc50f61674d552604fe8ef9c https://huntr.com/bounties/752d2376-2d9a-4e17-b462-3c267f9dd229 • CWE-20: Improper Input Validation •
CVE-2024-5982 – Path Traversal in gaizhenbiao/chuanhuchatgpt
https://notcve.org/view.php?id=CVE-2024-5982
Specifically, the load_chat_history function in modules/models/base_model.py allows arbitrary file uploads, potentially leading to remote code execution (RCE). The get_history_names function in utils.py permits arbitrary directory creation. • https://github.com/gaizhenbiao/chuanhuchatgpt/commit/952fc8c3cbacead858311747cddd4bedcb4721d7 https://huntr.com/bounties/5d5c5356-e893-44d1-b5ca-642aa05d96bb • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2024-7985 – FileOrganizer <= 1.0.9 - Authenticated (Subscriber+) Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-7985
This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an administrator, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://plugins.trac.wordpress.org/browser/fileorganizer/trunk/main/ajax.php#L13 https://plugins.trac.wordpress.org/changeset/3149878 https://www.wordfence.com/threat-intel/vulnerabilities/id/f79164c2-be3b-496d-b747-3e4b60b7fc2b?source=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVE-2024-51075
https://notcve.org/view.php?id=CVE-2024-51075
A Reflected Cross Site Scripting (XSS) vulnerability was found in /odms/admin/user-search.php in PHPGurukul Online DJ Booking Management System v1.0, which allows remote attackers to execute arbitrary code via the searchdata parameter. • https://github.com/Santoshcyber1/CVE-wirteup/blob/main/Phpgurukul/Online%20DJ%20Booking/DJ%20online%20Cross%20Site%20Scripting%20%20u.pdf • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •