CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2024-6828 – Redux Framework 4.4.12 - 4.4.17 - Unauthenticated JSON File Upload to Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-6828
This makes it possible for unauthenticated attackers to upload JSON files, which can be used to conduct stored cross-site scripting attacks and, in some rare cases, when the wp_filesystem fails to initialize - to Remote Code Execution. • https://core.trac.wordpress.org/browser/tags/6.5.4/src/wp-includes/class-wp-theme-json.php#L1690 https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-filesystem.php#L614 https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/classes/class-redux-helpers.php#L938 https://plugins.trac.wordpress.org/browser/redux-framework/tags/4.4.17/redux-core/inc/extensions/color_scheme/color_scheme/class-redux-color-schem • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: -EPSS: 0%CPEs: -EXPL: 0CVE-2024-24507
https://notcve.org/view.php?id=CVE-2024-24507
Cross Site Scripting vulnerability in Act-On 2023 allows a remote attacker to execute arbitrary code via the newUser parameter in the login.jsp component. • https://gist.github.com/Xandsz/2b409acb81e846fc3478600f984785a1 •
CVSS: 7.6EPSS: 0%CPEs: -EXPL: 0CVE-2020-24102
https://notcve.org/view.php?id=CVE-2020-24102
Directory Traversal vulnerability in Punkbuster pbsv.d64 2.351, allows remote attackers to execute arbitrary code. • https://medium.com/%40prizmant/hacking-punkbuster-e22e6cf2f36e • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-38944
https://notcve.org/view.php?id=CVE-2024-38944
An issue in Intelight X-1L Traffic controller Maxtime v.1.9.6 allows a remote attacker to execute arbitrary code via the /cgi-bin/generateForm.cgi? • https://gist.github.com/LemonSec/6aaea8320187a38e1a398fa321f12303 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.4EPSS: 0%CPEs: -EXPL: 1CVE-2024-34329
https://notcve.org/view.php?id=CVE-2024-34329
Insecure permissions in Entrust Datacard XPS Card Printer Driver 8.4 and earlier allows unauthenticated attackers to execute arbitrary code as SYSTEM via a crafted DLL payload. • https://github.com/pamoutaf/CVE-2024-34329 https://github.com/pamoutaf/CVE-2024-34329/blob/main/README.md https://www.entrust.com/ja/contact/services/downloads/drivers • CWE-378: Creation of Temporary File With Insecure Permissions •