CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-2967 – ConcreteCMS HTML Block save HTML injection
https://notcve.org/view.php?id=CVE-2025-2967
31 Mar 2025 — A vulnerability was found in ConcreteCMS up to 9.3.9. It has been classified as problematic. This affects the function Save of the component HTML Block Handler. The manipulation of the argument content leads to HTML injection. It is possible to initiate the attack remotely. • https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc5.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54803
https://notcve.org/view.php?id=CVE-2024-54803
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter pppoe_peer_mac and forcing a reboot. This will result in command injection. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#803 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54804
https://notcve.org/view.php?id=CVE-2024-54804
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Command Injection. An attacker can send a specially crafted request to post.cgi, updating the nvram parameter wan_hostname and forcing a reboot. This will result in command injection. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#804 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54805
https://notcve.org/view.php?id=CVE-2024-54805
31 Mar 2025 — After which, they can visit the send_log.cgi endpoint which uses the parameter in a system call to achieve command execution. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#805 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54806
https://notcve.org/view.php?id=CVE-2024-54806
31 Mar 2025 — Netgear WNR854T 1.5.2 (North America) is vulnerable to Arbitrary command execution in cmd.cgi which allows for the execution of system commands via the web interface. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#806 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54807
https://notcve.org/view.php?id=CVE-2024-54807
31 Mar 2025 — An attacker can send a specially crafted SOAPAction request for AddPortMapping via the router's WANIPConn1 service to achieve arbitrary command execution. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#807 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: -EXPL: 0CVE-2024-54808
https://notcve.org/view.php?id=CVE-2024-54808
31 Mar 2025 — The vulnerability allows for control of the program counter and can be utilized to achieve arbitrary code execution. • https://faultpoint.com/post/2025-03-25-8-cves-on-the-wnr854t-junkyard/#808 • CWE-121: Stack-based Buffer Overflow •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-2966 – ConcreteCMS Content Block save cross site scripting
https://notcve.org/view.php?id=CVE-2025-2966
30 Mar 2025 — A vulnerability was found in ConcreteCMS up to 9.3.9 and classified as problematic. Affected by this issue is the function Save of the component Content Block Handler. The manipulation of the argument Source leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc4.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-2965 – ConcreteCMS Accordion Block save cross site scripting
https://notcve.org/view.php?id=CVE-2025-2965
30 Mar 2025 — A vulnerability has been found in ConcreteCMS up to 9.3.9 and classified as problematic. Affected by this vulnerability is the function Save of the component Accordion Block Handler. The manipulation of the argument Title/Body Source leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc3.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: 0%CPEs: -EXPL: 1CVE-2025-2964 – ConcreteCMS FAQ Block save cross site scripting
https://notcve.org/view.php?id=CVE-2025-2964
30 Mar 2025 — A vulnerability, which was classified as problematic, was found in ConcreteCMS up to 9.3.9. Affected is the function Save of the component FAQ Block Handler. The manipulation of the argument Navigation/Title Text/Description Source leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/yaowenxiao721/Poc/blob/main/Concretecms/Concretecms-poc2.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •