CVE-2024-45846

HIGH Year: 2024
CVSS v3 Score
8.8
High
Weakness Type
CWE-95
View all →

Vulnerability Description

An arbitrary code execution vulnerability exists in versions 23.10.3.0 up to 24.7.4.1 of the MindsDB platform, when the Weaviate integration is installed on the server. If a specially crafted ‘SELECT WHERE’ clause containing Python code is run against a database created with the Weaviate engine, the code will be passed to an eval function and executed on the server.

Related Vulnerabilities

CVE-2020-5256

HIGH
CVSS:8.8(High)

BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would t...

CWE-952020

CVE-2020-6650

HIGH
CVSS:8.8(High)

UPS companion software v1.05 & Prior is affected by ‘Eval Injection’ vulnerability. The software does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluati...

CWE-952020

CVE-2022-41928

HIGH
CVSS:8.8(High)

XWiki Platform vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') in AttachmentSelector.xml. The issue can also be reproduced by inserting the dangero...

CWE-952022

CVE-2022-41931

HIGH
CVSS:8.8(High)

xwiki-platform-icon-ui is vulnerable to Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'). Any user with view rights on commonly accessible documents including the...

CWE-952022

CVE-2023-0089

HIGH
CVSS:8.8(High)

The webutils in Proofpoint Enterprise Protection (PPS/POD) contain a vulnerability that allows an authenticated user to execute remote code through 'eval injection'. This affects all versions 8.20.0 a...

CWE-952023

CVE-2023-29209

HIGH
CVSS:8.8(High)

XWiki Commons are technical libraries common to several other top level XWiki projects. Any user with view rights on commonly accessible documents including the legacy notification activity macro can ...

CWE-952023