CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29121 – Exposed TCF agent service in Enel X Juicebox
https://notcve.org/view.php?id=CVE-2023-29121
05 Nov 2024 — Waybox Enel TCF Agent service could be used to get administrator’s privileges over the Waybox system. El servicio Waybox Enel TCF Agent se puede utilizar para obtener privilegios de administrador en el sistema Waybox. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-284: Improper Access Control •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29120 – Unauthorized Remote Command Execution in Enel X Juicebox
https://notcve.org/view.php?id=CVE-2023-29120
05 Nov 2024 — Waybox Enel X web management application could be used to execute arbitrary OS commands and provide administrator’s privileges over the Waybox system. La aplicación de gestión web Waybox Enel X podría usarse para ejecutar comandos arbitrarios del sistema operativo y proporcionar privilegios de administrador sobre el sistema Waybox. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29119 – Unauthorized SQLite Injection
https://notcve.org/view.php?id=CVE-2023-29119
05 Nov 2024 — Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php. La aplicación de gestión web Waybox Enel X podría ejecutar solicitudes arbitrarias en la base de datos interna a través de /admin/dbstore.php. Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/dbstore.php. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29118 – Unauthorized SQLite Injection in Enel X Juicebox
https://notcve.org/view.php?id=CVE-2023-29118
05 Nov 2024 — Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/versions.php. La aplicación de gestión web Waybox Enel X podría ejecutar solicitudes arbitrarias en la base de datos interna a través de /admin/versions.php. Waybox Enel X web management application could execute arbitrary requests on the internal database via /admin/versions.php. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-29117 – Authentication Bypass in JuiceBox Web Manager interface
https://notcve.org/view.php?id=CVE-2023-29117
05 Nov 2024 — Waybox Enel X web management API authentication could be bypassed and provide administrator’s privileges over the Waybox system. La autenticación de la API de gestión web de Waybox Enel X podría omitirse y proporcionar privilegios de administrador sobre el sistema Waybox. • https://support-emobility.enelx.com/content/dam/enelxmobility/italia/documenti/manuali-schede-tecniche/Waybox-3-Security-Bulletin-06-2024-V1.pdf • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-30636 – Limited directory traversal vulnerability on Windows in golang.org/x/crypto
https://notcve.org/view.php?id=CVE-2022-30636
02 Jul 2024 — httpTokenCacheKey uses path.Base to extract the expected HTTP-01 token value to lookup in the DirCache implementation. On Windows, path.Base acts differently to filepath.Base, since Windows uses a different path separator (\ vs. /), allowing a user to provide a relative path, i.e. .well-known/acme-challenge/..\..\asd becomes ..\..\asd. The extracted path is then suffixed with +http-01, joined with the cache directory, and opened. • https://go.dev/cl/408694 •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-24792 – Panic when parsing invalid palette-color images in golang.org/x/image
https://notcve.org/view.php?id=CVE-2024-24792
27 Jun 2024 — Parsing a corrupt or malicious image with invalid color indices can cause a panic. • https://go.dev/cl/588115 •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37106 – WordPress WishList Member X plugin < 3.26.7 - Unautenticated Plugin Settings Change Leading to Stored XSS vulnerability
https://notcve.org/view.php?id=CVE-2024-37106
20 Jun 2024 — Missing Authorization vulnerability in WishList Products WishList Member X allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WishList Member X: from n/a through 3.26.6 The Wishlist Member plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the a function in all versions up to, and including, 3.25.1. This makes it possible for unauthenticated attackers to update the plugins settings and inject malicious web scri... • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unautenticated-plugin-settings-change-leading-to-stored-xss-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37108 – WordPress WishList Member X plugin < 3.26.7 - Authenticated Arbitrary File Deletion vulnerability
https://notcve.org/view.php?id=CVE-2024-37108
20 Jun 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in WishList Products WishList Member X allows Path Traversal.This issue affects WishList Member X: from n/a through 3.26.6. The Wishlist Member plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in all versions up to, and including, 3.25.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary files on the s... • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-authenticated-arbitrary-file-deletion-vulnerability?_s_id=cve • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37112 – WordPress WishList Member X plugin < 3.26.7 - Unauthenticated Arbitrary SQL Query Execution vulnerability
https://notcve.org/view.php?id=CVE-2024-37112
20 Jun 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Membership Software WishList Member X.This issue affects WishList Member X: from n/a before 3.26.7. Neutralización incorrecta de elementos especiales utilizados en una vulnerabilidad de comando SQL ('inyección SQL') en Membership Software WishList Member X. Este problema afecta a WishList Member X: desde n/a antes de 3.26.7. The WishList Member X plugin for WordPress is vulnerable SQL Injection in versions ... • https://patchstack.com/database/vulnerability/wishlist-member-x/wordpress-wishlist-member-x-plugin-3-25-1-unauthenticated-arbitrary-sql-query-execution-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •