CVSS: 9.8EPSS: 93%CPEs: 1EXPL: 6CVE-2024-38856 – Apache OFBiz Incorrect Authorization Vulnerability
https://notcve.org/view.php?id=CVE-2024-38856
Incorrect Authorization vulnerability in Apache OFBiz. This issue affects Apache OFBiz: through 18.12.14. Users are recommended to upgrade to version 18.12.15, which fixes the issue. Unauthenticated endpoints could allow execution of screen rendering code of screens if some preconditions are met (such as when the screen definitions don't explicitly check user's permissions because they rely on the configuration of their endpoints). ... Apache OFBiz contains an incorrect authorization vulnerability that could allow remote code execution via a Groovy payload in the context of the OFBiz user process by an unauthenticated attacker. • https://github.com/codeb0ss/CVE-2024-38856-PoC https://github.com/Praison001/CVE-2024-38856-ApacheOfBiz https://github.com/0x20c/CVE-2024-38856-EXP https://github.com/ThatNotEasy/CVE-2024-38856 https://github.com/BBD-YZZ/CVE-2024-38856-RCE https://github.com/emanueldosreis/CVE-2024-38856 https://issues.apache.org/jira/browse/OFBIZ-13128 https://lists.apache.org/thread/olxxjk6b13sl3wh9cmp0k2dscvp24l7w https://ofbiz.apache.org/download.html https://ofbiz.apache.org/security.html • CWE-863: Incorrect Authorization •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7537 – oFono QMI SMS Handling Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-7537
An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. ... An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of root. • https://www.zerodayinitiative.com/advisories/ZDI-24-1077 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7539 – oFono CUSD Stack-based Buffer Overflow Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-7539
This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of responses from AT+CUSD commands. ... An attacker can leverage this vulnerability to execute code in the context of root. ... This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. ... An attacker can leverage this vulnerability to execute code in the context of root. • https://www.zerodayinitiative.com/advisories/ZDI-24-1079 • CWE-121: Stack-based Buffer Overflow •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7546 – oFono SimToolKit Heap-based Buffer Overflow Privilege Escalation Vulnerability
https://notcve.org/view.php?id=CVE-2024-7546
This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. An attacker must first obtain the ability to execute code on the target modem in order to exploit this vulnerability. The specific flaw exists within the parsing of STK command PDUs. ... An attacker can leverage this vulnerability to execute code in the context of the service account. ... This vulnerability allows local attackers to execute arbitrary code on affected installations of oFono. ... An attacker can leverage this vulnerability to execute code in the context of the service account. • https://www.zerodayinitiative.com/advisories/ZDI-24-1086 • CWE-122: Heap-based Buffer Overflow •
CVSS: 3.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-7511 – Trimble SketchUp Pro SKP File Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
https://notcve.org/view.php?id=CVE-2024-7511
An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. •