CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-5800 – Insufficient input validation in VAPIX API create_overlay.cgi
https://notcve.org/view.php?id=CVE-2023-5800
Vintage, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API create_overlay.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. Vintage, miembro del programa AXIS OS Bug Bounty, descubrió que la API VAPIX create_overlay.cgi no tenía una validación de entrada suficiente que permitiera una posible ejecución remota de código. • https://www.axis.com/dam/public/89/d9/99/cve-2023-5800-en-US-424339.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 22EXPL: 0CVE-2023-5677 – Insufficient input validation in VAPIX API tcptext.cgi
https://notcve.org/view.php?id=CVE-2023-5677
Brandon Rothel from QED Secure Solutions has found that the VAPIX API tcptest.cgi did not have a sufficient input validation allowing for a possible remote code execution. This flaw can only be exploited after authenticating with an operator- or administrator-privileged service account. The impact of exploiting this vulnerability is lower with operator-privileges compared to administrator-privileges service accounts. Axis has released patched AXIS OS versions for the highlighted flaw. Please refer to the Axis security advisory for more information and solution. • https://www.axis.com/dam/public/a9/dd/f1/cve-2023-5677-en-US-424335.pdf • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24874 – WordPress Polls CP plugin <= 1.0.71 - Content Injection vulnerability
https://notcve.org/view.php?id=CVE-2024-24874
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in CodePeople CP Polls allows Code Injection.This issue affects CP Polls: from n/a through 1.0.71. La neutralización incorrecta de etiquetas HTML relacionadas con scripts en una vulnerabilidad de página web (XSS básico) en CodePeople CP Polls permite la inyección de código. Este problema afecta a CP Polls: desde n/a hasta 1.0.71. The Polls CP plugin for WordPress is vulnerable to content injection in all versions up to, and including, 1.0.71. This is due to insufficient validation on poll answers. • https://patchstack.com/database/vulnerability/cp-polls/wordpress-polls-cp-plugin-1-0-71-content-injection-vulnerability?_s_id=cve • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-24396
https://notcve.org/view.php?id=CVE-2024-24396
Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component. Vulnerabilidad de Cross Site Scripting en Stimulsoft GmbH Stimulsoft Dashboard.JS anterior a v.2024.1.2 permite a un atacante remoto ejecutar código arbitrario a través de un payload diseñado en el componente de la barra de búsqueda. • https://github.com/trustcves/CVE-2024-24396 http://stimulsoft.com https://cloud-trustit.spp.at/s/Pi78FFazHamJQ5R https://cves.at/posts/cve-2024-24396/writeup • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24469
https://notcve.org/view.php?id=CVE-2024-24469
Cross Site Request Forgery vulnerability in flusity-CMS v.2.33 allows a remote attacker to execute arbitrary code via the delete_post .php. Vulnerabilidad de Cross Site Request Forgery en flusity-CMS v.2.33 permite a un atacante remoto ejecutar código arbitrario a través de delete_post .php. • https://github.com/tang-0717/cms/blob/main/2.md • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-352: Cross-Site Request Forgery (CSRF) •