CVE-2024-3094

Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. The tarballs included extra .m4 files, which contained instructions for building with automake that did not exist in the repository. These instructions, through a series of complex obfuscations, extract a prebuilt object file from one of the test archives, which is then used to modify specific functions in the code while building the liblzma package. This issue results in liblzma being used by additional software, like sshd, to provide functionality that will be interpreted by the modified functions.

Github link:
https://github.com/XiaomingX/cve-2024-3094-xz-backdoor-exploit

CVE-2024-10220

None

Github link:
https://github.com/XiaomingX/cve-2024-10220-githooks

CVE-2024-22734

None

Github link:
https://github.com/securekomodo/CVE-2024-22734

CVE-2024-11320

None

Github link:
https://github.com/mhaskar/CVE-2024-11320

CVE-2023-28205

None

Github link:
https://github.com/ntfargo/uaf-2023-28205

CVE-2024-52940

AnyDesk through 8.1.0 on Windows, when Allow Direct Connections is enabled, inadvertently exposes a public IP address within network traffic. The attacker must know the victim's AnyDesk ID.

Github link:
https://github.com/MKultra6969/AnySniff

CVE-2024-38816

Applications serving static resources through the functional web frameworks WebMvc.fn or WebFlux.fn are vulnerable to path traversal attacks. An attacker can craft malicious HTTP requests and obtain any file on the file system that is also accessible to the process in which the Spring application is running.

Specifically, an application is vulnerable when both of the following are true:

* the web application uses RouterFunctions to serve static resources
* resource handling is explicitly configured with a FileSystemResource location


However, malicious requests are blocked and rejected when any of the following is true:

* the Spring Security HTTP Firewall https://docs.spring.io/spring-security/reference/servlet/exploits/firewall.html  is in use
* the application runs on Tomcat or Jetty

Github link:
https://github.com/Anthony1078/App-vulnerable

CVE-2024-8672

None

Github link:
https://github.com/Chocapikk/CVE-2024-8672

CVE-2024-5124

None

Github link:
https://github.com/XiaomingX/CVE-2024-5124-poc

CVE-2024-9465

An SQL injection vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. With this, attackers can also create and read arbitrary files on the Expedition system.

Github link:
https://github.com/XiaomingX/cve-2024-9465-poc

CVE-2024-42327

None

Github link:
https://github.com/compr00t/CVE-2024-42327

CVE-2024-10914

A vulnerability was found in D-Link DNS-320, DNS-320LW, DNS-325 and DNS-340L up to 20241028. It has been declared as critical. Affected by this vulnerability is the function cgi_user_add of the file /cgi-bin/account_mgr.cgi?cmd=cgi_user_add. The manipulation of the argument name leads to os command injection. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used.

Github link:
https://github.com/jahithoque/CVE-2024-10914-Exploit

CVE-2024-50498

Improper Control of Generation of Code ('Code Injection') vulnerability in LUBUS WP Query Console allows Code Injection.This issue affects WP Query Console: from n/a through 1.0.

Github link:
https://github.com/p0et08/CVE-2024-50498

CVE-2018-16763

FUEL CMS 1.4.1 allows PHP Code Evaluation via the pages/select/ filter parameter or the preview/ data parameter. This can lead to Pre-Auth Remote Code Execution.

Github link:
https://github.com/saccles/CVE-2018-16763-Proof-of-Concept

CVE-2021-42260

TinyXML through 2.6.2 has an infinite loop in TiXmlParsingData::Stamp in tinyxmlparser.cpp via the TIXML_UTF_LEAD_0 case. It can be triggered by a crafted XML message and leads to a denial of service.

Github link:
https://github.com/vm2mv/tinyxml

CVE-2024-5910

None

Github link:
https://github.com/Farzan-Kh/CVE-2024-5910

CVE-2021-3129

Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents(). This is exploitable on sites using debug mode with Laravel before 8.4.2.

Github link:
https://github.com/Prabesh01/hoh4

CVE-2024-46538

A cross-site scripting (XSS) vulnerability in pfsense v2.5.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $pconfig variable at interfaces_groups_edit.php.

Github link:
https://github.com/LauLeysen/CVE-2024-46538

CVE-2022-1386

The Fusion Builder WordPress plugin before 3.6.2, used in the Avada theme, does not validate a parameter in its forms which could be used to initiate arbitrary HTTP requests. The data returned is then reflected back in the application's response. This could be used to interact with hosts on the server's local network bypassing firewalls and access control measures.

Github link:
https://github.com/lamcodeofpwnosec/CVE-2022-1386

CVE-2023-4220

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.

Github link:
https://github.com/MikeyPPPPPPPP/CVE-2023-4220