CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2024-9162 – All-in-One WP Migration and Backup <= 7.86 - Authenticated (Administrator+) Arbitrary PHP Code Injection
https://notcve.org/view.php?id=CVE-2024-9162
This makes it possible for authenticated attackers, with Administrator-level access and above, to create an export file with the .php extension on the affected site's server, adding an arbitrary PHP code to it, which may make remote code execution possible. • https://github.com/d0n601/CVE-2024-9162 https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-backups-controller.php#L60 https://plugins.trac.wordpress.org/browser/all-in-one-wp-migration/trunk/lib/controller/class-ai1wm-export-controller.php#L36 https://ryankozak.com/posts/CVE-2024-9162 https://www.wordfence.com/threat-intel/vulnerabilities/id/d97c3379-56c9-4261-9a70-3119ec121a40?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-50623
https://notcve.org/view.php?id=CVE-2024-50623
In Cleo Harmony before 5.8.0.21, VLTrader before 5.8.0.21, and LexiCom before 5.8.0.21, there is an unrestricted file upload and download that could lead to remote code execution. • https://support.cleo.com/hc/en-us/articles/27140294267799-Cleo-Product-Security-Advisory • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47821 – pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
https://notcve.org/view.php?id=CVE-2024-47821
By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions on the 0.5 branch prior to 0.5.0b3.dev87. ... This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. ... By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. ... This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. • https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49380 – Plenti arbitrary file write vulnerability
https://notcve.org/view.php?id=CVE-2024-49380
This issue may lead to Remote Code Execution. • https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti https://github.com/plentico/plenti/blob/01825e0dcd3505fac57adc2edf29f772d585c008/cmd/serve.go#L205 https://github.com/plentico/plenti/releases/tag/v0.7.2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49378 – smartUp Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-49378
The vulnerability allows another extension to execute arbitrary code in the context of the user’s tab. • https://github.com/zimocode/smartup/blob/2144ec161697751b1a6702f1af866726ea689e4e/js/background.js#L3800 https://securitylab.github.com/advisories/GHSL-2024-011_smartup • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •