CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-47093 – Fix various XSS issues and potential RCE
https://notcve.org/view.php?id=CVE-2024-47093
19 Dec 2024 — Improper neutralization of input in Nagvis before version 1.9.42 which can lead to XSS • https://github.com/NagVis/nagvis/commit/30e71e8167d17a1828e7da71d6942f6fb36478cd • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2020-12820
https://notcve.org/view.php?id=CVE-2020-12820
19 Dec 2024 — Under non-default configuration, a stack-based buffer overflow in FortiOS version 6.0.10 and below, version 5.6.12 and below may allow a remote attacker authenticated to the SSL VPN to crash the FortiClient NAC daemon (fcnacd) and potentially execute arbitrary code via requesting a large FortiClient file name. We are not aware of proof of concept code successfully achieving the latter. • https://fortiguard.fortinet.com/psirt/FG-IR-20-083 • CWE-121: Stack-based Buffer Overflow •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11157 – Rockwell Automation Third Party Vulnerability in Arena
https://notcve.org/view.php?id=CVE-2024-11157
19 Dec 2024 — If exploited, a threat actor could leverage this vulnerability to execute arbitrary code. To exploit this vulnerability, a legitimate user must execute the malicious code crafted by the threat actor. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Rockwell Automation Arena Simulation. ... An attacker can leverage this vulnerability to execute code in the context of the current process. • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12175 – Rockwell Automation Code Execution Vulnerability in Arena
https://notcve.org/view.php?id=CVE-2024-12175
19 Dec 2024 — Another “use after free” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. Another “use after free” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to use a resource that was already used. If exploited, a threat actor could leverage this vulnerability... • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12832 – Arista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write Vulnerability
https://notcve.org/view.php?id=CVE-2024-12832
19 Dec 2024 — Arista NG Firewall ReportEntry SQL Injection Arbitrary File Read and Write Vulnerability. This vulnerability allows remote attackers to create arbitrary files and disclose sensitive information on affected installations of Arista NG Firewall. This vulnerability allows remote attackers to create arbitrary files and disclose sensitive information on affected installations of Arista NG Firewall. ... An attacker can leverage this in conjunction with other vulnerabilities to execute <... • https://www.zerodayinitiative.com/advisories/ZDI-24-1719 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-55081
https://notcve.org/view.php?id=CVE-2024-55081
19 Dec 2024 — An XML External Entity (XXE) injection vulnerability in the component /datagrip/upload of Chat2DB v0.3.5 allows attackers to execute arbitrary code via supplying a crafted XML input. • https://gist.github.com/summerxxoo/18b3ccc91aacd606aa4d48a02029e9e7 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12830 – Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-12830
19 Dec 2024 — Arista NG Firewall custom_handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. ... An attacker can leverage this vulnerability to execute code in the context of the www-data user. ... • https://www.zerodayinitiative.com/advisories/ZDI-24-1718 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12829 – Arista NG Firewall ExecManagerImpl Command Injection Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2024-12829
19 Dec 2024 — Arista NG Firewall ExecManagerImpl Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Arista NG Firewall. ... An attacker can leverage this vulnerability to execute code in the context of root. An attacker ca... • https://www.zerodayinitiative.com/advisories/ZDI-24-1717 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-11364 – Rockwell Automation Third Party Vulnerability in Arena®
https://notcve.org/view.php?id=CVE-2024-11364
19 Dec 2024 — Another “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. Another “uninitialized variable” code execution vulnerability exists in the Rockwell Automation Arena® that could allow a threat actor to craft a DOE file and force the software to access a variable prior to it being initialized. If exploited, a threat a... • https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1713.html •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-12700 – Tibbo AggreGate Network Manager Unrestricted Upload of File with Dangerous Type
https://notcve.org/view.php?id=CVE-2024-12700
19 Dec 2024 — There is an unrestricted file upload vulnerability where it is possible for an authenticated user (low privileged) to upload an jsp shell and execute code with the privileges of user running the web server. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Tibbo Aggregate Network Manager. ... An attacker can leverage this vulnerability to execute code in the context of an administrator. • https://aggregate.digital/downloads.html • CWE-434: Unrestricted Upload of File with Dangerous Type •