CVSS: 6.4EPSS: %CPEs: 1EXPL: 0CVE-2024-37962 – Fusion <= 1.6.1 - Authenticated (Contributor+) Stored Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-37962
The Fusion plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 1.6.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-38395
https://notcve.org/view.php?id=CVE-2022-38395
HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up. HP Support Assistant utiliza HP Performance Tune-up como herramienta de diagnóstico. HP Support Assistant utiliza Fusion para iniciar HP Performance Tune-up. • https://support.hp.com/us-en/document/ish_6788123-6788147-16/hpsbhf03809 • CWE-427: Uncontrolled Search Path Element •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-22043
https://notcve.org/view.php?id=CVE-2021-22043
VMware ESXi contains a TOCTOU (Time-of-check Time-of-use) vulnerability that exists in the way temporary files are handled. A malicious actor with access to settingsd, may exploit this issue to escalate their privileges by writing arbitrary files. VMware ESXi contiene una vulnerabilidad TOCTOU (Time-of-check Time-of-use) que se presenta en la forma de manejar los archivos temporales. Un actor malicioso con acceso a settingsd, puede explotar este problema para escalar sus privilegios al escribir archivos arbitrarios • https://www.vmware.com/security/advisories/VMSA-2022-0004.html • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition •
CVSS: 6.5EPSS: 2%CPEs: 1EXPL: 1CVE-2020-28911 – Nagios XI / Fusion Privilege Escalation / Cross Site Scripting / Code Execution
https://notcve.org/view.php?id=CVE-2020-28911
Incorrect Access Control in Nagios Fusion 4.1.8 and earlier allows low-privileged authenticated users to extract passwords used to manage fused servers via the test_server command in ajaxhelper.php. Un Control de Acceso Incorrecto en Nagios Fusion versiones 4.1.8 y anteriores, permite a usuarios autenticados pocos privilegiados extraer las contraseñas usadas para administrar servidores fusionados por medio del comando test_server en el archivo ajaxhelper.php Skylight Cyber has identified a total of 13 vulnerabilities in Nagios XI and Nagios Fusion servers. These include remote code execution, cross site scripting, privilege escalation, and more. • http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you https://www.nagios.com/downloads/nagios-xi/change-log • CWE-922: Insecure Storage of Sensitive Information •
CVSS: 9.0EPSS: 3%CPEs: 1EXPL: 1CVE-2020-28909 – Nagios XI / Fusion Privilege Escalation / Cross Site Scripting / Code Execution
https://notcve.org/view.php?id=CVE-2020-28909
Incorrect File Permissions in Nagios Fusion 4.1.8 and earlier allows for Privilege Escalation to root via modification of scripts. Low-privileges users are able to modify files that can be executed by sudo. Los Permisos de Archivo Incorrectos en Nagios Fusion versiones 4.1.8 y anteriores, permiten una Escalada de Privilegios a root por medio de la modificación de los scripts. Los usuarios pocos privilegiados pueden modificar archivos que pueden ser ejecutados por sudo Skylight Cyber has identified a total of 13 vulnerabilities in Nagios XI and Nagios Fusion servers. These include remote code execution, cross site scripting, privilege escalation, and more. • http://packetstormsecurity.com/files/162783/Nagios-XI-Fusion-Privilege-Escalation-Cross-Site-Scripting-Code-Execution.html https://skylightcyber.com/2021/05/20/13-nagios-vulnerabilities-7-will-shock-you https://www.nagios.com/downloads/nagios-xi/change-log • CWE-732: Incorrect Permission Assignment for Critical Resource •