charlesgargasson

4 exploits Active since Mar 2023
CVE-2023-41425 NOMISEC MEDIUM NO CODE
WonderCMS Remote Code Execution
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
1 stars
CVSS 6.1
CVE-2023-4220 NOMISEC HIGH NO CODE
Chamilo v1.11.24 Unrestricted File Upload PHP Webshell
Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in Chamilo LMS <= v1.11.24 allows unauthenticated attackers to perform stored cross-site scripting attacks and obtain remote code execution via uploading of web shell.
1 stars
CVSS 8.1
CVE-2024-32002 NOMISEC CRITICAL NO CODE
Git <2.45.1-2.39.4 - Code Injection
Git is a revision control system. Prior to versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories with submodules can be crafted in a way that exploits a bug in Git whereby it can be fooled into writing files not into the submodule's worktree but into a `.git/` directory. This allows writing a hook that will be executed while the clone operation is still running, giving the user no opportunity to inspect the code that is being executed. The problem has been patched in versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4. If symbolic link support is disabled in Git (e.g. via `git config --global core.symlinks false`), the described attack won't work. As always, it is best to avoid cloning repositories from untrusted sources.
CVSS 9.0
CVE-2023-1177 NOMISEC CRITICAL NO CODE
Lfprojects Mlflow < 2.2.1 - Path Traversal
Path Traversal: '\..\filename' in GitHub repository mlflow/mlflow prior to 2.2.1.
CVSS 9.3