CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-46076
https://notcve.org/view.php?id=CVE-2024-46076
RuoYi v4.7.9 and before has a security flaw that allows escaping from comments within the code generation feature, enabling the injection of malicious code. • https://gist.github.com/kkll5875/f237f200bae6db6b47eea3236d82ad0d https://github.com/yangzongzhuan/RuoYi • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-45933
https://notcve.org/view.php?id=CVE-2024-45933
OnlineNewsSite v1.0 is vulnerable to Cross Site Scripting (XSS) which allows attackers to execute arbitrary code via the Title and summary fields in the /admin/post/edit/ endpoint. • http://TobeReleased.com https://github.com/AslamMahi/CVE-Aslam-Mahi/blob/main/MobinaJafarian-OnlineNewsSite%20v%201.0/CVE-2024-45933.md • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9529 – Advanced Custom Fields <= 6.3.8 - Authenticated (Admin+) Limited Arbitrary Function Call
https://notcve.org/view.php?id=CVE-2024-9529
The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to limited arbitrary function calls via the 'register_meta_box_cb' and 'meta_box_cb' parameters in all versions up to, and including, 6.3.8 (excluding 6.3.6.2) due to insufficient input validation on those parameters. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary functions, like WordPress functions, in custom post types that will execute whenever a user accesses the injected post type. This can be leveraged to trick other users like administrators accessing posts into performing unauthorized actions through functions, and is not a very serious risk for the vast majority of site owners. Please follow the reference listed in this vulnerability record for instructions on how to update to the latest version of ACF that patches this issue and ensures accessibility to updates moving forward. Please note this issue was partially patched in 6.3.8 and 6.3.6.1 - 6.3.6.2, however, was hardened further in 6.3.6.3 and 6.3.9. • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 6.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-47845 – CSS sanitizer used incorrectly, and is easily bypassed
https://notcve.org/view.php?id=CVE-2024-47845
Improper Encoding or Escaping of Output vulnerability in The Wikimedia Foundation Mediawiki - CSS Extension allows Code Injection.This issue affects Mediawiki - CSS Extension: from 1.39.X before 1.39.9, from 1.41.X before 1.41.3, from 1.42.X before 1.42.2. • https://gerrit.wikimedia.org/r/q/I6f38f4a8fc1dcd690ab27b8f18ce6ca903bacc53 https://phabricator.wikimedia.org/T368594 https://phabricator.wikimedia.org/T368628 • CWE-116: Improper Encoding or Escaping of Output •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-38039 – BUG-000161683 - HTML injection vulnerability in Portal for ArcGIS.
https://notcve.org/view.php?id=CVE-2024-38039
There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker to create a crafted link which when clicked could render arbitrary HTML in the victim’s browser (no stateful change made or customer data rendered). • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •