CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2024-8424 – WatchGuard Endpoint Protection Privilege Escalation in PSANHost Enables Arbitrary File Delete as SYSTEM
https://notcve.org/view.php?id=CVE-2024-8424
Improper Privilege Management vulnerability in WatchGuard EPDR, Panda AD360 and Panda Dome on Windows (PSANHost.exe module) allows arbitrary file delete with SYSTEM permissions. This issue affects EPDR: before 8.00.23.0000; Panda AD360: before 8.00.23.0000; Panda Dome: before 22.03.00. ... An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Application Host Service. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. • https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2024-00017 • CWE-269: Improper Privilege Management •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-49524 – Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)
https://notcve.org/view.php?id=CVE-2024-49524
Adobe Experience Manager versions 6.5.20 and earlier are affected by a DOM-based Cross-Site Scripting (XSS) vulnerability that could be exploited by an attacker to execute arbitrary code in the context of the victim's browser session. • https://helpx.adobe.com/security/products/experience-manager/apsb24-28.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10621 – Simple Shortcode for Google Maps <= 1.5.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
https://notcve.org/view.php?id=CVE-2024-10621
This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • sfp_email=&sfph_mail=&reponame=&new=3181804%40simple-google-maps-short-code%2Ftrunk&old=3065630%40simple-google-maps-short-code%2Ftrunk&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/33146b95-d2c7-433d-a104-5762b251f8ec? • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 8.1EPSS: 0%CPEs: -EXPL: 0CVE-2024-43425 – Moodle: remote code execution via calculated question types
https://notcve.org/view.php?id=CVE-2024-43425
Additional restrictions are required to avoid a remote code execution risk in calculated question types. • https://bugzilla.redhat.com/show_bug.cgi?id=2304253 https://moodle.org/mod/forum/discuss.php?d=461193 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.6EPSS: 0%CPEs: -EXPL: 0CVE-2024-10526 – Rapid7 Velociraptor Local Privilege Escalation In Windows Velociraptor Service
https://notcve.org/view.php?id=CVE-2024-10526
By modifying Velociraptor's files, local users can subvert the binary and cause the Velociraptor service to execute arbitrary code as the SYSTEM user, or to replace the Velociraptor binary completely. • https://docs.velociraptor.app/announcements/2024-cves • CWE-552: Files or Directories Accessible to External Parties CWE-732: Incorrect Permission Assignment for Critical Resource •