CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 1CVE-2024-38036 – BUG-000154827 - Reflected XSS in ArcGIS Experience Builder
https://notcve.org/view.php?id=CVE-2024-38036
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1, 10.8.1 and 10.7.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://github.com/hnytgl/CVE-2024-38036 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2024-8149 – BUG-000168624 - Unvalidated redirect in Portal for ArcGIS.
https://notcve.org/view.php?id=CVE-2024-8149
04 Oct 2024 — There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. • https://www.esri.com/arcgis-blog/products/trust-arcgis/administration/portal-for-arcgis-security-2024-update-2-released • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47655 – Unrestricted File Upload Vulnerability
https://notcve.org/view.php?id=CVE-2024-47655
04 Oct 2024 — An authenticated remote attacker could exploit this vulnerability by uploading malicious file, which could lead to remote code execution on targeted application. • https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-46486
https://notcve.org/view.php?id=CVE-2024-46486
04 Oct 2024 — TP-LINK TL-WDR5620 v2.3 was discovered to contain a remote code execution (RCE) vulnerability via the httpProcDataSrv function. • https://github.com/fishykz/TP-POC • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41512
https://notcve.org/view.php?id=CVE-2024-41512
04 Oct 2024 — A SQL Injection vulnerability in "ccHandler.aspx" in all versions of CADClick v.1.11.0 and before allows remote attackers to execute arbitrary SQL commands via the "bomid" parameter. • http://cadclick.de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37869
https://notcve.org/view.php?id=CVE-2024-37869
04 Oct 2024 — File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "poster.php" file, and the uploaded file was received using the "$- FILES" variable • https://gist.github.com/TERRENCE-REX/7e5dfdd3583bf9fd81196f557a8b8879 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2024-37868
https://notcve.org/view.php?id=CVE-2024-37868
04 Oct 2024 — File Upload vulnerability in Itsourcecode Online Discussion Forum Project v.1.0 allows a remote attacker to execute arbitrary code via the "sendreply.php" file, and the uploaded file was received using the "$- FILES" variable. • https://gist.github.com/TERRENCE-REX/bfca92171143e28899bb8511f311f9ed • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41925 – Optigo Networks ONS-S8 Spectra Aggregation Switch PHP Remote File Inclusion
https://notcve.org/view.php?id=CVE-2024-41925
03 Oct 2024 — The web service for ONS-S8 - Spectra Aggregation Switch includes functions which do not properly validate user input, allowing an attacker to traverse directories, bypass authentication, and execute remote code. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-275-01 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-41988 – Missing Authentication for Critical Function vulnerability in TEM Opera Plus FM Family Transmitter
https://notcve.org/view.php?id=CVE-2024-41988
03 Oct 2024 — This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. • https://www.cisa.gov/news-events/ics-advisories/icsa-24-277-01 • CWE-306: Missing Authentication for Critical Function •
CVSS: 8.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-36474 – Ubuntu Security Notice USN-7062-1
https://notcve.org/view.php?id=CVE-2024-36474
03 Oct 2024 — This can lead to arbitrary code execution. ... If a user or automated system were tricked into opening a specially crafted file, a remote attacker could possibly use this issue to execute arbitrary code. • https://gitlab.gnome.org/GNOME/libgsf/-/issues/34 • CWE-190: Integer Overflow or Wraparound •