CVSS: 6.6EPSS: 0%CPEs: 3EXPL: 1CVE-2024-9529 – Secure Custom Fields < 6.3.6.3 - Admin+ Remote Code Execution
https://notcve.org/view.php?id=CVE-2024-9529
The Secure Custom Fields WordPress plugin before 6.3.9, Secure Custom Fields WordPress plugin before 6.3.6.3, Advanced Custom Fields Pro WordPress plugin before 6.3.9 does not prevent users from running arbitrary functions through its setting import functionalities, which could allow high privilege users such as admin to run arbitrary PHP functions. The Advanced Custom Fields (ACF) plugin for WordPress is vulnerable to limited arbitrary function calls via the 'register_meta_box_cb' and 'meta_box_cb' parameters in all versions up to, and including, 6.3.8 (excluding 6.3.6.2) due to insufficient input validation on those parameters. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary functions, like WordPress functions, in custom post types that will execute whenever a user accesses the injected post type. • https://wpscan.com/vulnerability/dd3cc8d8-4dff-47f9-b036-5d09f2c7e5f2 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9054 – Remote code Execution inTimeProvider® 4100
https://notcve.org/view.php?id=CVE-2024-9054
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Microchip TimeProvider 4100 (Configuration modules) allows Command Injection.This issue affects TimeProvider 4100: from 1.0 before 2.4.7. • https://www.gruppotim.it/it/footer/red-team.html https://www.microchip.com/en-us/solutions/technologies/embedded-security/how-to-report-potential-product-security-vulnerabilities/timeprovider-4100-grandmaster-rce-through-configuration-file • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2024-38038 – BUG-000165732 - Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-38038
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-25691 – BUG-000165286 - Reflected XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25691
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1, 10.9.1 and 10.8.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-25694 – BUG-000163019 - Stored XSS in Portal for ArcGIS
https://notcve.org/view.php?id=CVE-2024-25694
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 10.8.1 – 10.9.1 that may allow a remote, authenticated attacker to create a crafted link that is stored in the Layer Showcase application configuration which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •