CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10626 – WooCommerce Support Ticket System <= 17.7 - Authenticated (Subscriber+) Arbitrary File Deletion
https://notcve.org/view.php?id=CVE-2024-10626
08 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). • https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10627 – WooCommerce Support Ticket System <= 17.7 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10627
08 Nov 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/woocommerce-support-ticket-system/17930050 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10673 – Top Store <= 1.5.4 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10673
08 Nov 2024 — This makes it possible for authenticated attackers, with subscriber-level access and above, to install arbitrary plugins which can contain other exploitable vulnerabilities to elevate privileges and gain remote code execution. • https://themes.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=247826%40top-store&new=247826%40top-store&sfp_email=&sfph_mail= • CWE-862: Missing Authorization •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10674 – Th Shop Mania <= 1.4.9 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
https://notcve.org/view.php?id=CVE-2024-10674
08 Nov 2024 — This makes it possible for authenticated attackers, with Subscriber-level access and above, to install arbitrary plugins which can be leveraged to exploit other vulnerabilities and achieve remote code execution and privilege escalation. • https://themes.svn.wordpress.org/th-shop-mania/1.4.9/lib/notification/notify.php • CWE-862: Missing Authorization •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10801 – WordPress User Extra Fields <= 16.5 - Unauthenticated Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-10801
08 Nov 2024 — This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible. • https://codecanyon.net/item/user-extra-fields/12949844 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10871 – Category Ajax Filter <= 2.8.2 - Unauthenticated Local File Inclusion
https://notcve.org/view.php?id=CVE-2024-10871
08 Nov 2024 — This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where files with a .php extension can be uploaded and included. • https://plugins.trac.wordpress.org/browser/category-ajax-filter/tags/2.8.2/includes/functions.php#L180 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-8424 – WatchGuard Endpoint Protection Privilege Escalation in PSANHost Enables Arbitrary File Delete as SYSTEM
https://notcve.org/view.php?id=CVE-2024-8424
07 Nov 2024 — An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Application Host Service. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00017 • CWE-269: Improper Privilege Management •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49524 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-49524
07 Nov 2024 — Adobe Experience Manager versions 6.5.20 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute arbitrary code in the context of the victim's browser session. • https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-43425 – Moodle: remote code execution via calculated question types
https://notcve.org/view.php?id=CVE-2024-43425
07 Nov 2024 — Additional restrictions are required to avoid a remote code execution risk in calculated question types. ... This Metasploit module exploits a command injection vulnerability in Moodle (CVE-2024-43425) to obtain remote code execution. • https://github.com/RedTeamPentesting/moodle-rce-calculatedquestions • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10526 – Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service
https://notcve.org/view.php?id=CVE-2024-10526
07 Nov 2024 — By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. • https://docs.velociraptor.app/announcements/2024-cves • CWE-552: Files or Directories Accessible to External Parties CWE-732: Incorrect Permission Assignment for Critical Resource •