CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2976 – GFI KerioConnect File Upload cross site scripting
https://notcve.org/view.php?id=CVE-2025-2976
31 Mar 2025 — A vulnerability was found in GFI KerioConnect 10.0.6. It has been classified as problematic. Affected is an unknown function of the component File Upload. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. • https://github.com/0xs1ash/poc/blob/main/xss.md#2-when-a-file-with-a-malicious-javascript-code-in-its-name-is-uploaded-to-the-system-it-is-displayed-again-on-the-page-within-the-input-field-without-being-sanitized-this-creates-the-potential-for-an-xss-att • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2975 – GFI KerioConnect Signature EditHtmlSource cross site scripting
https://notcve.org/view.php?id=CVE-2025-2975
31 Mar 2025 — A vulnerability was found in GFI KerioConnect 10.0.6 and classified as problematic. This issue affects some unknown processing of the file Settings/Email/Signature/EditHtmlSource of the component Signature Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/0xs1ash/poc/blob/main/xss.md#1-stored-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: 2EXPL: 1CVE-2025-2974 – CodeCanyon Perfex CRM Contracts contract cross site scripting
https://notcve.org/view.php?id=CVE-2025-2974
31 Mar 2025 — A vulnerability has been found in CodeCanyon Perfex CRM up to 3.2.1 and classified as problematic. This vulnerability affects unknown code of the file /contract of the component Contracts. The manipulation of the argument content leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://bytium.com/stored-xss-in-perfex-crm-3-2-1-contracts-module • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-2971 – ConcreteCMS List Block cross site scripting
https://notcve.org/view.php?id=CVE-2025-2971
31 Mar 2025 — A vulnerability classified as problematic was found in ConcreteCMS up to 9.3.9. Affected by this vulnerability is an unknown functionality of the component List Block Handler. The manipulation of the argument Name/Description leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc9.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54803
https://notcve.org/view.php?id=CVE-2024-54803
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#803 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54804
https://notcve.org/view.php?id=CVE-2024-54804
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter wan_hostname and forcing a reboot. This will result in command injection. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#804 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54805
https://notcve.org/view.php?id=CVE-2024-54805
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter get_email. After which, they can visit the send_log.cgi endpoint which uses the parameter in a system call to achieve command execution. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#805 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54806
https://notcve.org/view.php?id=CVE-2024-54806
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Arbitrary command execution in cmd.cgi which allows for the execution of system commands via the web interface. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#806 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54807
https://notcve.org/view.php?id=CVE-2024-54807
31 Mar 2025 — In Netgear WNR854T 1.5.2 (North America), the UPNP service is vulnerable to command injection in the function addmap_exec which parses the NewInternalClient parameter of the AddPortMapping SOAPAction into a system call without sanitation. An attacker can send a specially crafted SOAPAction request for AddPortMapping via the router's WANIPConn1 service to achieve arbitrary command execution. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#807 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54808
https://notcve.org/view.php?id=CVE-2024-54808
31 Mar 2025 — The vulnerability allows for control of the program counter and can be utilized to achieve arbitrary code execution. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#808 • CWE-121: Stack-based Buffer Overflow •