CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10820 – WooCommerce Upload Files <= 84.3 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10820
12 Nov 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/woocommerce-upload-files/11442983 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11150 – WordPress User Extra Fields <= 16.6 - Unauthenticated Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-11150
12 Nov 2024 — This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://codecanyon.net/item/user-extra-fields/12949844 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2024-11079 – Ansible-core: unsafe tagging bypass via hostvars object in ansible-core
https://notcve.org/view.php?id=CVE-2024-11079
11 Nov 2024 — This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks. • https://access.redhat.com/security/cve/CVE-2024-11079 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51748 – Remote code execution through language setting in kanboard
https://notcve.org/view.php?id=CVE-2024-51748
11 Nov 2024 — An authenticated Kanboard admin can run arbitrary php code on the server in combination with a file write possibility. ... Once the attacker has placed its file with the actual php code as the payload, the attacker can craft a sqlite db settings, which uses path traversal to point to the directory, where the `translations.php` file is stored. Then gaining code execution after importing the crafted sqlite.db. • https://github.com/kanboard/kanboard/security/advisories/GHSA-jvff-x577-j95p • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11019 – Grand Vice info Webopac7 - Reflected XSS
https://notcve.org/view.php?id=CVE-2024-11019
11 Nov 2024 — Webopac from Grand Vice info has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript code in the user's browser through phishing techniques. • https://www.twcert.org.tw/en/cp-139-8216-f7dbf-2.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11018 – Grand Vice info Webopac - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11018
11 Nov 2024 — Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on the server. • https://www.twcert.org.tw/en/cp-139-8214-64fa2-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11017 – Grand Vice info Webopac - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11017
11 Nov 2024 — Webopac from Grand Vice info does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells, which could lead to arbitrary code execution on the server. • https://www.twcert.org.tw/en/cp-139-8212-a7d3a-2.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: -EXPL: 1CVE-2024-41992
https://notcve.org/view.php?id=CVE-2024-41992
11 Nov 2024 — For example, on Arcadyan FMIMG51AX000J devices, this leads to wfaTGSendPing remote code execution as root via traffic to TCP port 8000 or 8080 on a LAN interface. • https://ssd-disclosure.com/ssd-advisory-arcadyan-fmimg51ax000j-wifi-alliance-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50636
https://notcve.org/view.php?id=CVE-2024-50636
11 Nov 2024 — PyMOL 2.5.0 contains a vulnerability in its "Run Script" function, which allows the execution of arbitrary Python code embedded within .PYM files. Attackers can craft a malicious .PYM file containing a Python reverse shell payload and exploit the function to achieve Remote Command Execution (RCE). This vulnerability arises because PyMOL treats .PYM files as Python scripts without properly validating or restricting the commands within the script, enabling attackers to run u... • https://github.com/schrodinger/pymol-open-source/issues/405 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52369 – WordPress KBucket plugin <= 4.1.6 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-52369
11 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/kbucket/wordpress-kbucket-plugin-4-1-6-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •