The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count. Older CVEs and those affecting open source projects with very small userbases aren’t listed.

For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them.

CVE-2024-44849

• Severity: Awaiting analysis.
• Impacted Products: Qualitor up to 8.24
• Description: Remote Code Execution (RCE) via Arbitrary File Upload in checkAcesso.php.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-44849
• PoC: https://github.com/extencil/CVE-2024-44849/

CVE-2024-8517

• Severity: Awaiting analysis.
• Impacted Products: SPIP before 4.3.2, 4.2.16, and 4.1.18
• Description: A remote and unauthenticated attacker can execute arbitrary operating system commands by sending a crafted multipart file upload HTTP request.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-8517
• PoC: https://github.com/Chocapikk/CVE-2024-8517/

CVE-2024-8395

• Severity: Awaiting analysis.
• Impacted Products: FlyCASS website. Looks like it was mitigated by disconnecting the impacted component.
• Description: FlyCASS CASS and KCM systems did not correctly filter SQL queries, which made them vulnerable to attack by outside attackers with no authentication.
• Remediation: Follow developer guidance.
• More Info: NVD - CVE-2024-8395
• PoC: https://ian.sh/tsa

References

This list was scraped from the quite amazing and highly recommended newsletters below:

• ~this week in security~
• Unsupervised Learning
• @RISK
• Hive Five
• Vulnerable U
• tl;dr sec

Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.