CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47821 – pyLoad vulnerable to remote code execution by download to /.pyload/scripts using /flashgot API
https://notcve.org/view.php?id=CVE-2024-47821
By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions on the 0.5 branch prior to 0.5.0b3.dev87. ... This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. ... By downloading a executable file to a folder in /scripts and performing the respective action, remote code execution can be achieved in versions prior to 0.5.0b3.dev87. ... This vulnerability allows an attacker with access to change the settings on a pyload server to execute arbitrary code and completely compromise the system. • https://github.com/pyload/pyload/security/advisories/GHSA-w7hq-f2pj-c53g • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49380 – Plenti arbitrary file write vulnerability
https://notcve.org/view.php?id=CVE-2024-49380
This issue may lead to Remote Code Execution. • https://securitylab.github.com/advisories/GHSL-2024-297_GHSL-2024-298_plenti https://github.com/plentico/plenti/blob/01825e0dcd3505fac57adc2edf29f772d585c008/cmd/serve.go#L205 https://github.com/plentico/plenti/releases/tag/v0.7.2 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49378 – smartUp Cross-site Scripting vulnerability
https://notcve.org/view.php?id=CVE-2024-49378
The vulnerability allows another extension to execute arbitrary code in the context of the user’s tab. • https://github.com/zimocode/smartup/blob/2144ec161697751b1a6702f1af866726ea689e4e/js/background.js#L3800 https://securitylab.github.com/advisories/GHSL-2024-011_smartup • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-37845
https://notcve.org/view.php?id=CVE-2024-37845
MangoOS before 5.2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the Active Process Command feature. • https://github.com/herombey/Disclosures/blob/main/CVE-2024-37845%20RCE.pdf https://github.com/herombey/Disclosures/tree/main • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-50480 – WordPress Marketing Automation by AZEXO plugin <= 1.27.80 - Arbitrary File Upload vulnerability
https://notcve.org/view.php?id=CVE-2024-50480
This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://patchstack.com/database/vulnerability/marketing-automation-by-azexo/wordpress-marketing-automation-by-azexo-plugin-1-27-80-arbitrary-file-upload-vulnerability?_s_id=cve • CWE-434: Unrestricted Upload of File with Dangerous Type •