CVSS: 7.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-34724 – PowerVR _UnrefAndMaybeDestroy() Use-After-Free
https://notcve.org/view.php?id=CVE-2024-34724
In _UnrefAndMaybeDestroy of pmr.c, there is a possible arbitrary code execution due to a race condition. • https://source.android.com/security/bulletin/2024-07-01 • CWE-368: Context Switching Race Condition •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4261 – Responsive Contact Form Builder & Lead Generation Plugin <= 1.9.1 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-4261
The Responsive Contact Form Builder & Lead Generation Plugin plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.9.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with subscriber-level access and above, to execute arbitrary shortcodes. El complemento Responsive Contact Form Builder & Lead Generation Plugin para WordPress es vulnerable a la ejecución arbitraria de códigos cortos en todas las versiones hasta la 1.9.1 incluida. Esto se debe a que el software permite a los usuarios ejecutar una acción que no valida correctamente un valor antes de ejecutar do_shortcode. • https://plugins.trac.wordpress.org/browser/lead-form-builder/trunk/block/app.php#L24 https://www.wordfence.com/threat-intel/vulnerabilities/id/858d8641-7455-47c2-9639-480ce4ec3540?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-24294
https://notcve.org/view.php?id=CVE-2024-24294
A Prototype Pollution issue in Blackprint @blackprint/engine v.0.9.0 allows an attacker to execute arbitrary code via the _utils.setDeepProperty function of engine.min.js. Un problema de contaminación de prototipos en Blackprint @blackprint/engine v.0.9.0 permite a un atacante ejecutar código arbitrario a través de la función _utils.setDeepProperty de Engine.min.js. • https://gist.github.com/mestrtee/d1eb6e1f7c6dd60d8838c3e56cab634d • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.7EPSS: 0%CPEs: -EXPL: 0CVE-2024-36078
https://notcve.org/view.php?id=CVE-2024-36078
In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes (which run with the environment and permissions of the Zammad user). En Zammad anterior a 6.3.1, se instala una gema Ruby incluida en Zammad con permisos de archivos de escritura mundial. Esto permitió a un atacante local en el servidor modificar los archivos de la gema, inyectando código arbitrario en los procesos de Zammad (que se ejecutan con el entorno y los permisos del usuario de Zammad). • https://zammad.com/en/advisories/zaa-2024-04 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-4264 – Remote Code Execution in berriai/litellm
https://notcve.org/view.php?id=CVE-2024-4264
A remote code execution (RCE) vulnerability exists in the berriai/litellm project due to improper control of the generation of code when using the `eval` function unsafely in the `litellm.get_secret()` method. Specifically, when the server utilizes Google KMS, untrusted data is passed to the `eval` function without any sanitization. Attackers can exploit this vulnerability by injecting malicious values into environment variables through the `/config/update` endpoint, which allows for the update of settings in `proxy_server_config.yaml`. Existe una vulnerabilidad de ejecución remota de código (RCE) en el proyecto berriai/litellm debido a un control inadecuado de la generación de código cuando se utiliza la función `eval` de forma insegura en el método `litellm.get_secret()`. Específicamente, cuando el servidor utiliza Google KMS, los datos que no son de confianza se pasan a la función "eval" sin ningún tipo de desinfección. • https://huntr.com/bounties/a3221b0c-6e25-4295-ab0f-042997e8fc61 • CWE-94: Improper Control of Generation of Code ('Code Injection') •