๐จ CVE-2022-39215
Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.
๐@cveNotify
Tauri is a framework for building binaries for all major desktop platforms. Due to missing canonicalization when `readDir` is called recursively, it was possible to display directory listings outside of the defined `fs` scope. This required a crafted symbolic link or junction folder inside an allowed path of the `fs` scope. No arbitrary file content could be leaked. The issue has been resolved in version 1.0.6 and the implementation now properly checks if the requested (sub) directory is a symbolic link outside of the defined `scope`. Users are advised to upgrade. Users unable to upgrade should disable the `readDir` endpoint in the `allowlist` inside the `tauri.conf.json`.
๐@cveNotify
GitHub
[bug] Accessing junction folder from within $APP folder on Windows ยท Issue #4882 ยท tauri-apps/tauri
Describe the bug When a junction is created in the $APP Base directory on windows eg. mklink /J C:\Users\<user>\AppData\Roaming\<identifier>\TestFolder C:\Dev\TestFolder...
๐จ CVE-2022-39213
go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary.
๐@cveNotify
go-cvss is a Go module to manipulate Common Vulnerability Scoring System (CVSS). In affected versions when a full CVSS v2.0 vector string is parsed using `ParseVector`, an Out-of-Bounds Read is possible due to a lack of tests. The Go module will then panic. The problem is patched in tag `v0.4.0`, by the commit `d9d478ff0c13b8b09ace030db9262f3c2fe031f4`. Users are advised to upgrade. Users unable to upgrade may avoid this issue by parsing only CVSS v2.0 vector strings that do not have all attributes defined (e.g. `AV:N/AC:L/Au:N/C:P/I:P/A:C/E:U/RL:OF/RC:C/CDP:MH/TD:H/CR:M/IR:M/AR:M`). As stated in [SECURITY.md](https://github.com/pandatix/go-cvss/blob/master/SECURITY.md), the CPE v2.3 to refer to this Go module is `cpe:2.3:a:pandatix:go_cvss:*:*:*:*:*:*:*:*`. The entry has already been requested to the NVD CPE dictionary.
๐@cveNotify
GitHub
Improve CVSS v2.0 implementation (0/1 allocs/op) ยท pandatix/go-cvss@d9d478f
Go module to manipulate Common Vulnerability Scoring System (CVSS) - Improve CVSS v2.0 implementation (0/1 allocs/op) ยท pandatix/go-cvss@d9d478f
๐จ CVE-2022-36075
Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue
๐@cveNotify
Nextcloud files access control is a nextcloud app to manage access control for files. Users with limited access can see file names in certain cases where they do not have privilege to do so. This issue has been addressed and it is recommended that the Nextcloud Files Access Control app is upgraded to 1.12.2, 1.13.1 or 1.14.1. There are no known workarounds for this issue
๐@cveNotify
GitHub
Listing folder content blocked by files access control when received as share
### Impact
Users with limited access can see file names on the first level when receiving a folder as a share
### Patches
It is recommended that the Nextcloud Files Access Control app is upgra...
Users with limited access can see file names on the first level when receiving a folder as a share
### Patches
It is recommended that the Nextcloud Files Access Control app is upgra...
๐จ CVE-2022-27561
There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf).
๐@cveNotify
There is a reflected Cross-Site Scripting vulnerability in the HCL Traveler web admin (LotusTraveler.nsf).
๐@cveNotify
๐จ CVE-2022-29240
Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part of decompression buffer won't be overwritten, and will be left uninitialized. This can be exploited in several ways, depending on the privileges of the user. 1. The main exploit is that an attacker with access to CQL port, but no user account, can bypass authentication, but only if there are other legitimate clients making connections to the cluster, and they use LZ4. 2. Attacker that already has a user account on the cluster can read parts of uninitialized memory, which can contain things like passwords of other users or fragments of other queries / results, which leads to authorization bypass and sensitive information disclosure. The bug has been patched in the following versions: Scylla Enterprise: 2020.1.14, 2021.1.12, 2022.1.0. Scylla Open Source: 4.6.7, 5.0.3. Users unable to upgrade should make sure none of their drivers connect to cluster using LZ4 compression, and that Scylla CQL port is behind firewall. Additionally make sure no untrusted client can connect to Scylla, by setting up authentication and applying workarounds from previous point (firewall, no lz4 compression).
๐@cveNotify
Scylla is a real-time big data database that is API-compatible with Apache Cassandra and Amazon DynamoDB. When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part of decompression buffer won't be overwritten, and will be left uninitialized. This can be exploited in several ways, depending on the privileges of the user. 1. The main exploit is that an attacker with access to CQL port, but no user account, can bypass authentication, but only if there are other legitimate clients making connections to the cluster, and they use LZ4. 2. Attacker that already has a user account on the cluster can read parts of uninitialized memory, which can contain things like passwords of other users or fragments of other queries / results, which leads to authorization bypass and sensitive information disclosure. The bug has been patched in the following versions: Scylla Enterprise: 2020.1.14, 2021.1.12, 2022.1.0. Scylla Open Source: 4.6.7, 5.0.3. Users unable to upgrade should make sure none of their drivers connect to cluster using LZ4 compression, and that Scylla CQL port is behind firewall. Additionally make sure no untrusted client can connect to Scylla, by setting up authentication and applying workarounds from previous point (firewall, no lz4 compression).
๐@cveNotify
GitHub
Uninitialized memory read in LZ4 decompression leads to authentication bypass
### Impact
When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part ...
When decompressing CQL frame received from user, Scylla assumes that user-provided uncompressed length is correct. If user provides fake length, that is greater than the real one, part ...
๐จ CVE-2022-38399
Missing protection mechanism for alternate hardware interface in SmaCam CS-QR10 all versions and SmaCam Night Vision CS-QR20 all versions allows an attacker to execute an arbitrary OS command by having the product connect to the product's specific serial connection
๐@cveNotify
Missing protection mechanism for alternate hardware interface in SmaCam CS-QR10 all versions and SmaCam Night Vision CS-QR20 all versions allows an attacker to execute an arbitrary OS command by having the product connect to the product's specific serial connection
๐@cveNotify
PLANEX
ในใใซใก๏ผCS-QR10๏ผ๏ฝPLANEX
ในใใซใก๏ผCS-QR10๏ผใฏๅฐ็จใขใใชใงQRใณใผใใ่ชญใฟๅใใใในใฏใผใใๅ
ฅๅใใใ ใใงๆ่ปฝใซใซใกใฉใฎๆ ๅใในใใใง่ฆใใใใใใใฏใผใฏใซใกใฉใงใใ
๐จ CVE-2022-33941
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.
๐@cveNotify
PowerCMS XMLRPC API provided by Alfasado Inc. contains a command injection vulnerability. Sending a specially crafted message by POST method to PowerCMS XMLRPC API may allow arbitrary Perl script execution, and an arbitrary OS command may be executed through it. Affected products/versions are as follows: PowerCMS 6.021 and earlier (PowerCMS 6 Series), PowerCMS 5.21 and earlier (PowerCMS 5 Series), and PowerCMS 4.51 and earlier (PowerCMS 4 Series). Note that all versions of PowerCMS 3 Series and earlier which are unsupported (End-of-Life, EOL) are also affected by this vulnerability.
๐@cveNotify
jvn.jp
JVN#76024879: PowerCMS XMLRPC API vulnerable to command injection
Japan Vulnerability Notes
๐จ CVE-2022-36074
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
๐@cveNotify
Nextcloud server is an open source personal cloud product. Affected versions of this package are vulnerable to Information Exposure which fails to strip the Authorization header on HTTP downgrade. This can lead to account access exposure and compromise. It is recommended that the Nextcloud Server is upgraded to 23.0.7 or 24.0.3. It is recommended that the Nextcloud Enterprise Server is upgraded to 22.2.11, 23.0.7 or 24.0.3. There are no known workarounds for this issue.
๐@cveNotify
GitHub
Bump guzzlehttp/guzzle from 7.4.0 to 7.4.4 by CarlSchwan ยท Pull Request #32941 ยท nextcloud/server
nextcloud/3rdparty#1072
rebased
Signed-off-by: Carl Schwan carl@carlschwan.eu
rebased
Signed-off-by: Carl Schwan carl@carlschwan.eu
๐จ CVE-2022-38637
Hospital Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities via the Username and Password parameters on the Login page.
๐@cveNotify
Hospital Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities via the Username and Password parameters on the Login page.
๐@cveNotify
owasp.org
SQL Injection | OWASP Foundation
SQL Injection on the main website for The OWASP Foundation. OWASP is a nonprofit foundation that works to improve the security of software.
๐จ CVE-2022-2900
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.
๐@cveNotify
Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url prior to 8.1.0.
๐@cveNotify
GitHub
Throw if url is invalid. Add a length limit. ยท IonicaBizau/parse-url@b88c81d
:rocket: An advanced url parser supporting git urls too. - Throw if url is invalid. Add a length limit. ยท IonicaBizau/parse-url@b88c81d
๐จ CVE-2022-36667
Garage Management System 1.0 is vulnerable to the Remote Code Execution (RCE) due to the lack of filtering from the file upload function. The vulnerability exist during adding parts and from the upload function, the attacker can upload PHP Reverse Shell straight away to gain RCE.
๐@cveNotify
Garage Management System 1.0 is vulnerable to the Remote Code Execution (RCE) due to the lack of filtering from the file upload function. The vulnerability exist during adding parts and from the upload function, the attacker can upload PHP Reverse Shell straight away to gain RCE.
๐@cveNotify
GitHub
POC-DUMP/README.md at main ยท saitamang/POC-DUMP
Writeup for any interesting bugs/vulnerability. Contribute to saitamang/POC-DUMP development by creating an account on GitHub.
๐จ CVE-2022-36436
OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacker with network access to the proxy server could leverage this vulnerability to connect to VNC servers protected by the proxy server without providing any authentication credentials. Exploitation of this issue requires that the proxy server is currently accepting connections for the target VNC server.
๐@cveNotify
OSU Open Source Lab VNCAuthProxy through 1.1.1 is affected by an vncap/vnc/protocol.py VNCServerAuthenticator authentication-bypass vulnerability that could allow a malicious actor to gain unauthorized access to a VNC session or to disconnect a legitimate user from a VNC session. A remote attacker with network access to the proxy server could leverage this vulnerability to connect to VNC servers protected by the proxy server without providing any authentication credentials. Exploitation of this issue requires that the proxy server is currently accepting connections for the target VNC server.
๐@cveNotify
GitHub
Fix CVE-2022-36436 - Authentication bypass in RFB security handshake โฆ ยท osuosl/twisted_vncauthproxy@edc149a
โฆ(#1)
๐จ CVE-2022-36668
Garage Management System 1.0 is vulnerable to Stored Cross Site Scripting (XSS) on several parameters. The vulnerabilities exist during creating or editing the parts under parameters. Using the XSS payload, the Stored XSS triggered and can be used for further attack vector.
๐@cveNotify
Garage Management System 1.0 is vulnerable to Stored Cross Site Scripting (XSS) on several parameters. The vulnerabilities exist during creating or editing the parts under parameters. Using the XSS payload, the Stored XSS triggered and can be used for further attack vector.
๐@cveNotify
GitHub
POC-DUMP/README.md at main ยท saitamang/POC-DUMP
Writeup for any interesting bugs/vulnerability. Contribute to saitamang/POC-DUMP development by creating an account on GitHub.
๐จ CVE-2022-40674
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
๐@cveNotify
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c.
๐@cveNotify
GitHub
[CVE-2022-40674] Ensure raw tagnames are safe exiting internalEntityParser by RMJ10 ยท Pull Request #629 ยท libexpat/libexpat
It is possible to concoct a situation in which parsing is suspended while substituting in an internal entity, so that XML_ResumeParser directly uses internalEntityProcessor as its processor. If th...
๐จ CVE-2022-40626
An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.
๐@cveNotify
An unauthenticated user can create a link with reflected Javascript code inside the backurl parameter and send it to other authenticated users in order to create a fake account with predefined login, password and role in Zabbix Frontend.
๐@cveNotify
๐จ CVE-2022-36536
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
๐@cveNotify
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
๐@cveNotify
Super
Super.com: Save, Earn, Travel
Super.com helps you save on hotels, get cash advances, and make extra money! Upgrade to Super+ and put even more money in your pocket!
๐จ CVE-2022-36534
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain multiple remote code execution (RCE) vulnerabilities via the Job_ExecuteBefore and Job_ExecuteAfter parameters at post_profilesettings.php.
๐@cveNotify
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain multiple remote code execution (RCE) vulnerabilities via the Job_ExecuteBefore and Job_ExecuteAfter parameters at post_profilesettings.php.
๐@cveNotify
Super
Super.com: Save, Earn, Travel
Super.com helps you save on hotels, get cash advances, and make extra money! Upgrade to Super+ and put even more money in your pocket!
๐จ CVE-2022-36533
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site scripting (XSS) vulnerability.
๐@cveNotify
Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below was discovered to contain a cross-site scripting (XSS) vulnerability.
๐@cveNotify
Super
Super.com: Save, Earn, Travel
Super.com helps you save on hotels, get cash advances, and make extra money! Upgrade to Super+ and put even more money in your pocket!
๐จ CVE-2022-35415
An improper input validation in NI System Configuration Manager before 22.5 may allow a privileged user to potentially enable escalation of privilege via local access.
๐@cveNotify
An improper input validation in NI System Configuration Manager before 22.5 may allow a privileged user to potentially enable escalation of privilege via local access.
๐@cveNotify
Ni
NI Test & Measurement Solutions from Emerson
National Instruments, a leading provider of software-connected automated test and measurement systems. Explore our hardware and software solutions.
๐จ CVE-2022-37140
PayMoney 3.3 is vulnerable to Client Side Remote Code Execution (RCE). The vulnerability exists on the reply ticket function and upload the malicious file. A calculator will open when the victim who download the file open the RTF file.
๐@cveNotify
PayMoney 3.3 is vulnerable to Client Side Remote Code Execution (RCE). The vulnerability exists on the reply ticket function and upload the malicious file. A calculator will open when the victim who download the file open the RTF file.
๐@cveNotify
GitHub
POC-DUMP/PayMoney at main ยท saitamang/POC-DUMP
Writeup for any interesting bugs/vulnerability. Contribute to saitamang/POC-DUMP development by creating an account on GitHub.
๐จ CVE-2022-37139
Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability.
๐@cveNotify
Loan Management System version 1.0 suffers from a persistent cross site scripting vulnerability.
๐@cveNotify
GitHub
POC-DUMP/Loan Management System/README.md at main ยท saitamang/POC-DUMP
Writeup for any interesting bugs/vulnerability. Contribute to saitamang/POC-DUMP development by creating an account on GitHub.