CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-27945
https://notcve.org/view.php?id=CVE-2024-27945
By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. • https://cert-portal.siemens.com/productcert/html/ssa-916916.html • CWE-73: External Control of File Name or Path •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-27944
https://notcve.org/view.php?id=CVE-2024-27944
By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. • https://cert-portal.siemens.com/productcert/html/ssa-916916.html • CWE-73: External Control of File Name or Path •
CVSS: 7.2EPSS: 0%CPEs: -EXPL: 0CVE-2024-27943
https://notcve.org/view.php?id=CVE-2024-27943
By replacing specific files, an attacker could tamper specific files or even achieve remote code execution. • https://cert-portal.siemens.com/productcert/html/ssa-916916.html • CWE-73: External Control of File Name or Path •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-28137 – PHOENIX CONTACT: privilege escalation due to a TOCTOU vulnerability in the CHARX Series
https://notcve.org/view.php?id=CVE-2024-28137
An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the /etc/init.d/user-applications script. ... An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of root. • https://cert.vde.com/en/advisories/VDE-2024-019 • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-28136 – PHOENIX CONTACT: command injection gains root privileges using the OCPP remote service
https://notcve.org/view.php?id=CVE-2024-28136
A local attacker with low privileges can use a command injection vulnerability to gain root privileges due to improper input validation using the OCPP Remote service. ... This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Phoenix Contact CHARX SEC-3100 devices. ... The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. • https://cert.vde.com/en/advisories/VDE-2024-019 • CWE-20: Improper Input Validation •