CVE-2024-48461
https://notcve.org/view.php?id=CVE-2024-48461
Cross Site Scripting vulnerability in TeslaLogger Admin Panel before v.1.59.6 allows a remote attacker to execute arbitrary code via the New Journey field. • https://github.com/bassmaster187/TeslaLogger/blob/65f5ff43c7cacf0391ddc21b90f77a2e8c8d860e/TeslaLogger/bin/changelog.md?plain=1#L4 https://mohammedshine.github.io/CVE-2024-48461.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2024-51568
https://notcve.org/view.php?id=CVE-2024-51568
There is /filemanager/upload (aka File Manager upload) unauthenticated remote code execution via shell metacharacters. • https://cwe.mitre.org/data/definitions/78.html https://cyberpanel.net/KnowledgeBase/home/change-logs https://cyberpanel.net/blog/cyberpanel-v2-3-5 https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2024-8512 – W3SPEEDSTER <= 7.26 - Authenticated (Administrator+) Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-8512
The W3SPEEDSTER plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 7.26 via the 'script' parameter of the hookBeforeStartOptimization() function. ... This makes it possible for authenticated attackers, with Administrator-level access and above, to execute code on the server. • https://plugins.trac.wordpress.org/browser/w3speedster-wp/trunk/w3speedster.php#L740 https://plugins.trac.wordpress.org/changeset/3175640 https://www.wordfence.com/threat-intel/vulnerabilities/id/2a56eb63-ba5c-4452-8ab9-f5aeaf53adda?source=cve • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') •
CVE-2024-51567 – CyberPanel Incorrect Default Permissions Vulnerability
https://notcve.org/view.php?id=CVE-2024-51567
upgrademysqlstatus in databases/views.py in CyberPanel (aka Cyber Panel) before 5b08cd6 allows remote attackers to bypass authentication and execute arbitrary commands via /dataBases/upgrademysqlstatus by bypassing secMiddleware (which is only for a POST request) and using shell metacharacters in the statusfile property, as exploited in the wild in October 2024 by PSAUX. ... CyberPanel contains an incorrect default permissions vulnerability that allows a remote, unauthenticated attacker to execute commands as root. • https://github.com/thehash007/CVE-2024-51567-RCE-EXPLOIT https://github.com/ajayalf/CVE-2024-51567 https://cwe.mitre.org/data/definitions/420.html https://cwe.mitre.org/data/definitions/78.html https://cyberpanel.net/KnowledgeBase/home/change-logs https://cyberpanel.net/blog/detials-and-fix-of-recent-security-issue-and-patch-of-cyberpanel https://dreyand.rs/code/review/2024/10/27/what-are-my-options-cyberpanel-v236-pre-auth-rce https://github.com/usmannasir/cyberpa • CWE-276: Incorrect Default Permissions •
CVE-2024-44236 – Apple macOS ICC Profile Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-44236
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://support.apple.com/en-us/121568 https://support.apple.com/en-us/121570 • CWE-787: Out-of-bounds Write •