CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-26271
https://notcve.org/view.php?id=CVE-2024-26271
Cross-site request forgery (CSRF) vulnerability in the My Account widget in Liferay Portal 7.4.3.75 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.2, 2023.Q3.1 through 2023.Q3.5, 7.4 update 75 through update 92 and 7.3 update 32 through update 36 allows remote attackers to (1) change user passwords, (2) shut down the server, (3) execute arbitrary code in the scripting console, (4) and perform other administrative actions via the _com_liferay_my_account_web_portlet_MyAccountPortlet_backURL parameter. • https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2024-26271 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 0CVE-2022-23862
https://notcve.org/view.php?id=CVE-2022-23862
Because the service did not enforce authentication and was running under the "NT Authority\System" user, an attacker is able to use the vulnerability to execute arbitrary code and elevate to the system user. • https://github.com/mbadanoiu/CVE-2022-23862 https://github.com/mbadanoiu/CVE-2022-23862/blob/main/SafeQ%20-%20CVE-2022-23862.pdf https://ysoft.com • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: -EXPL: 0CVE-2024-40493
https://notcve.org/view.php?id=CVE-2024-40493
Null Pointer Dereference in `coap_client_exchange_blockwise2` function in Keith Cullen FreeCoAP 1.0 allows remote attackers to cause a denial of service and potentially execute arbitrary code via a specially crafted CoAP packet that causes `coap_msg_get_payload(resp)` to return a null pointer, which is then dereferenced in a call to `memcpy`. • https://gist.github.com/dqp10515/fe80005e2fb58ed8ada178ac017e4ad4 https://github.com/keith-cullen/FreeCoAP/issues/37 • CWE-476: NULL Pointer Dereference •
CVSS: 4.8EPSS: 0%CPEs: -EXPL: 1CVE-2024-48652
https://notcve.org/view.php?id=CVE-2024-48652
Cross Site Scripting vulnerability in camaleon-cms v.2.7.5 allows remote attacker to execute arbitrary code via the content group name field. • https://github.com/paragbagul111/CVE-2024-48652 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-45518
https://notcve.org/view.php?id=CVE-2024-45518
This issue permits unauthorized HTTP requests to be sent to internal services, which can lead to Remote Code Execution (RCE) by chaining Command Injection within the internal service. When combined with existing XSS vulnerabilities, this SSRF issue can further facilitate Remote Code Execution (RCE). • https://wiki.zimbra.com/wiki/Security_Center https://wiki.zimbra.com/wiki/Zimbra_Releases/10.0.9#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/10.1.1#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P46#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Releases/9.0.0/P41#Security_Fixes https://wiki.zimbra.com/wiki/Zimbra_Responsible_Disclosure_Policy https://wiki.zimbra.com/wiki/Zimbra_Security_Advisories • CWE-918: Server-Side Request Forgery (SSRF) •