CVSS: 8.7EPSS: 0%CPEs: 1EXPL: 0CVE-2024-51735 – Stored Cross-site Scripting to RCE on Osmedeus Web Server
https://notcve.org/view.php?id=CVE-2024-51735
05 Nov 2024 — Osmedeus is a Workflow Engine for Offensive Security. Cross-site Scripting (XSS) occurs on the Osmedues web server when viewing results from the workflow, allowing commands to be executed on the server. When using a workflow that contains the summary module, it generates reports in HTML and Markdown formats. The default report is based on the `general-template.md` template.The contents of the files are read and used to generate the report. However, the file contents are not properly filtered, leading to XSS... • https://github.com/j3ssie/osmedeus/security/advisories/GHSA-wvv7-wm5v-w2gv • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-50333 – RCE in ModuleBuilder in SuiteCRM
https://notcve.org/view.php?id=CVE-2024-50333
05 Nov 2024 — SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. User input is not validated and is written to the filesystem. The ParserLabel::addLabels() function can be used to write attacker-controlled data into the custom language file that will be included at the runtime. This issue has been addressed in versions 7.14.6 and 8.7.1. Users are advised to upgrade. • https://github.com/salesagility/SuiteCRM/security/advisories/GHSA-qrv6-3q86-qv89 • CWE-20: Improper Input Validation •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9307 – mFolio Lite <= 1.2.1 - Missing Authorization to Authenticated (Author+) File Upload via EXE and SVG Files
https://notcve.org/view.php?id=CVE-2024-9307
05 Nov 2024 — This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file or upload arbitrary EXE files on the affected site's server which may make remote code execution possible if the attacker can also gain access to run the .exe file, or trick a site visitor into downloading and running the .exe file. • https://wordpress.org/plugins/mfolio-lite/#developers • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2024-50096 – nouveau/dmem: Fix vulnerability in migrate_to_ram upon copy error
https://notcve.org/view.php?id=CVE-2024-50096
05 Nov 2024 — A physically proximate remote attacker could use this to cause a denial of service or possibly execute arbitrary code. ... A physically proximate remote attacker could use this to expose sensitive information. • https://git.kernel.org/stable/c/5be73b690875f7eb2d2defb54ccd7f2f12074984 •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2024-50095 – RDMA/mad: Improve handling of timed out WRs of mad agent
https://notcve.org/view.php?id=CVE-2024-50095
05 Nov 2024 — A physically proximate remote attacker could use this to cause a denial of service or possibly execute arbitrary code. ... A physically proximate remote attacker could use this to expose sensitive information. • https://git.kernel.org/stable/c/713adaf0ecfc49405f6e5d9e409d984f628de818 •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-50093 – thermal: intel: int340x: processor: Fix warning during module unload
https://notcve.org/view.php?id=CVE-2024-50093
05 Nov 2024 — A physically proximate remote attacker could use this to cause a denial of service or possibly execute arbitrary code. ... A physically proximate remote attacker could use this to expose sensitive information. • https://git.kernel.org/stable/c/acd65d5d1cf4a3324c8970ba74632abe069fe23e •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9579 – Certain Poly Video Conference Devices – Potential Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-9579
05 Nov 2024 — A potential vulnerability was discovered in certain Poly video conferencing devices. The firmware flaw does not properly sanitize user input. The exploitation of this vulnerability is dependent on a layered attack and cannot be exploited by itself. Se descubrió una vulnerabilidad potencial en ciertos dispositivos de videoconferencia de Poly. El fallo del firmware no desinfecta adecuadamente la entrada del usuario. • https://support.hp.com/us-en/document/ish_11536495-11536533-16/hpsbpy03900 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47253
https://notcve.org/view.php?id=CVE-2024-47253
05 Nov 2024 — In 2N Access Commander versions 3.1.1.2 and prior, a Path Traversal vulnerability could allow an attacker with administrative privileges to write files on the filesystem and potentially achieve arbitrary remote code execution. • https://www.2n.com/en-GB/about-2n/cybersecurity • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-48746
https://notcve.org/view.php?id=CVE-2024-48746
05 Nov 2024 — An issue in Lens Visual integration with Power BI v.4.0.0.3 allows a remote attacker to execute arbitrary code via the Natural language processing component Un problema en la integración de Lens Visual con Power BI v.4.0.0.3 permite que un atacante remoto ejecute código arbitrario a través del componente de procesamiento de lenguaje natural. • https://gist.github.com/KaiqueFerreiraPeres/a56c33104a52019c533e4283c257d3a0 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-51358
https://notcve.org/view.php?id=CVE-2024-51358
05 Nov 2024 — An issue in Linux Server Heimdall v.2.6.1 allows a remote attacker to execute arbitrary code via a crafted script to the Add new application. • https://github.com/Kov404/CVE-2024-51358 • CWE-918: Server-Side Request Forgery (SSRF) •