CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2024-11175 – Public CMS Voting Management save cross site scripting
https://notcve.org/view.php?id=CVE-2024-11175
13 Nov 2024 — A vulnerability was found in Public CMS 5.202406.d and classified as problematic. This issue affects some unknown processing of the file /admin/cmsVote/save of the component Voting Management. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://gitee.com/sanluan/PublicCMS/commit/b9530b9cc1f5cfdad4b637874f59029a6283a65c • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-52306 – FileManager Deserialization of Untrusted Data
https://notcve.org/view.php?id=CVE-2024-52306
13 Nov 2024 — Prior to 3.0.9, deserialization of untrusted data from the mimes parameter could lead to remote code execution. • https://github.com/Laravel-Backpack/FileManager/commit/2830498b85e05fb3c92179053b4d7c4a0fdb880b • CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47574
https://notcve.org/view.php?id=CVE-2024-47574
13 Nov 2024 — A authentication bypass using an alternate path or channel in Fortinet FortiClientWindows version 7.4.0, versions 7.2.4 through 7.2.0, versions 7.0.12 through 7.0.0, and 6.4.10 through 6.4.0 allows low privilege attacker to execute arbitrary code with high privilege via spoofed named pipe messages. • https://fortiguard.fortinet.com/psirt/FG-IR-24-199 • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 7.5EPSS: 0%CPEs: -EXPL: 0CVE-2024-21541
https://notcve.org/view.php?id=CVE-2024-21541
13 Nov 2024 — All versions of the package dom-iterator are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. ... Versions of the package dom-iterator before 1.0.1 are vulnerable to Arbitrary Code Execution due to use of the Function constructor without complete input sanitization. • https://security.snyk.io/vuln/SNYK-JS-DOMITERATOR-6157199 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.2EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8938
https://notcve.org/view.php?id=CVE-2024-8938
13 Nov 2024 — CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution after a successful Man-In-The-Middle attack followed by sending a crafted Modbus function call to tamper with memory area involved in memory size computation. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution... • https://download.schneider-electric.com/doc/SEVD-2024-317-03/SEVD-2024-317-03.pdf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8937
https://notcve.org/view.php?id=CVE-2024-8937
13 Nov 2024 — CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution after a successful Man-In-The Middle attack followed by sending a crafted Modbus function call to tamper with memory area involved in the authentication process. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability exists that could cause a potential arbitrary code execution<... • https://download.schneider-electric.com/doc/SEVD-2024-317-03/SEVD-2024-317-03.pdf • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 9.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-38655
https://notcve.org/view.php?id=CVE-2024-38655
13 Nov 2024 — Argument injection in Ivanti Connect Secure before version 22.7R2.1 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.9 and Ivanti Policy Secure before version 22.7R1.1 and 9.1R18.9 allows a remote authenticated attacker with admin privileges to achieve remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-34780
https://notcve.org/view.php?id=CVE-2024-34780
13 Nov 2024 — SQL injection in Ivanti Endpoint Manager before 2024 November Security Update or 2022 SU6 November Security Update allows a remote authenticated attacker with admin privileges to achieve remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-EPM-November-2024-for-EPM-2024-and-EPM-2022 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39712
https://notcve.org/view.php?id=CVE-2024-39712
13 Nov 2024 — Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2024-39711
https://notcve.org/view.php?id=CVE-2024-39711
13 Nov 2024 — Argument injection in Ivanti Connect Secure before version 22.7R2.1 and 9.1R18.7 and Ivanti Policy Secure before version 22.7R1.1 allows a remote authenticated attacker with admin privileges to achieve remote code execution. • https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Connect-Secure-ICS-Ivanti-Policy-Secure-IPS-Ivanti-Secure-Access-Client-ISAC-Multiple-CVEs • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •