New most known CVEs !
Updated: Dec 8, 2022
Introduction
I) List of CVEs
1) CVE-2022-35726
a) Description
Broken Authentication vulnerability in yotuwp Video Gallery plugin <= 1.3.4.5 at WordPress.
b) References
https://patchstack.com/database/vulnerability/yotuwp-easy-youtube-embed/wordpress-video-gallery-plugin-1-3-4-5-broken-authentication
https://wordpress.org/plugins/yotuwp-easy-youtube-embed/#developers
2) CVE-2022-36282
a) Description
Authenticated (editor+) Stored Cross-Site Scripting (XSS) vulnerability in Roman Pronskiy's Search Exclude plugin <= 1.2.6 at WordPress.
b) References
https://wordpress.org/plugins/search-exclude/#developers
https://patchstack.com/database/vulnerability/search-exclude/wordpress-search-exclude-plugin-1-2-6-authenticated-stored-cross-site-scripting-xss-vulnerability
3) CVE-2022-36285
a) Description
Authenticated Arbitrary File Upload vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.
b) References
https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-arbitrary-file-upload-vulnerability
https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers
4) CVE-2022-37153
a) Description
An issue was discovered in Artica Proxy 4.30.000000. There is a XSS vulnerability via the password parameter in /fw.login.php.
b) References
https://github.com/Fjowel/CVE-2022-37153
5) CVE-2022-37434
a) Description
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field. NOTE: only applications that call inflateGetHeader are affected. Some common applications bundle the affected zlib source code but may be unable to call inflateGetHeader (e.g., see the nodejs/node reference).
b) References
https://github.com/nodejs/node/blob/75b68c6e4db515f76df73af476eccf382bbcb00a/deps/zlib/inflate.c#L762-L764
https://github.com/ivd38/zlib_overflow
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
6) CVE-2022-38533
a) Description
In GNU Binutils before 2.4.0, there is a heap-buffer-overflow in the error function bfd_getl32 when called from the strip_main function in strip-new via a crafted file.
b) References
https://sourceware.org/bugzilla/show_bug.cgi?id=29482
7) CVE-2022-36226
a) Description
SiteServerCMS 5.X has a Remote-download-Getshell-vulnerability via /SiteServer/Ajax/ajaxOtherService.aspx.
b) References
https://www.slpyue.com/
https://github.com/we1h0/SiteServer-CMS-Remote-download-Getshell
8) CVE-2022-24381
a) Description
All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
b) References
https://security.snyk.io/vuln/SNYK-UNMANAGED-ASNEGOPCUASTACK-2988735
9) CVE-2022-25888
a) Description
The package opcua from 0.0.0 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
b) References
https://security.snyk.io/vuln/SNYK-RUST-OPCUA-2988751
https://github.com/locka99/opcua/pull/216
10) CVE-2022-25761
a) Description
The package open62541/open62541 before 1.2.5, from 1.3-rc1 and before 1.3.1 are vulnerable to Denial of Service (DoS) due to a missing limitation on the number of received chunks - per single session or in total for all concurrent sessions. An attacker can exploit this vulnerability by sending an unlimited number of huge chunks (e.g. 2GB each) without sending the Final closing chunk.
b) References
https://github.com/open62541/open62541/pull/5173
https://security.snyk.io/vuln/SNYK-UNMANAGED-OPEN62541OPEN62541-2988719
11) CVE-2022-28681
a) Description
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Foxit PDF Reader 11.2.1.53537. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the deletePages method. By performing actions in JavaScript, an attacker can trigger a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-16825.
b) References
https://www.zerodayinitiative.com/advisories/ZDI-22-772/
https://www.foxit.com/support/security-bulletins.html
12) CVE-2022-25302
a) Description
All versions of package asneg/opcuastack are vulnerable to Denial of Service (DoS) due to a missing handler for failed casting when unvalidated data is forwarded to boost::get function in OpcUaNodeIdBase.h. Exploiting this vulnerability is possible when sending a specifically crafted OPC UA message with a special encoded NodeId.
b) References
https://security.snyk.io/vuln/SNYK-UNMANAGED-ASNEGOPCUASTACK-2988732
13) CVE-2022-1015
a) Description
A flaw was found in the Linux kernel in linux/net/netfilter/nf_tables_api.c of the netfilter subsystem. This flaw allows a local user to cause an out-of-bounds write issue.
b) References
https://seclists.org/oss-sec/2022/q1/205
https://bugzilla.redhat.com/show_bug.cgi?id=2065323
14) CVE-2022-24298
a) Description
All versions of package freeopcua/freeopcua are vulnerable to Denial of Service (DoS) when bypassing the limitations for excessive memory consumption by sending multiple CloseSession requests with the deleteSubscription parameter equal to False.
b) References
https://github.com/FreeOpcUa/freeopcua/issues/391
https://security.snyk.io/vuln/SNYK-UNMANAGED-FREEOPCUAFREEOPCUA-2988720
15) CVE-2022-36389
a) Description
Cross-Site Request Forgery (CSRF) vulnerability in WordPlus Better Messages plugin <= 1.9.9.148 at WordPress.
b) References
https://wordpress.org/plugins/bp-better-messages/#developers
https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-9-148-cross-site-request-forgery-csrf-vulnerability-2
16) CVE-2022-38663
a) Description
Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.
b) References
https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2796
http://www.openwall.com/lists/oss-security/2022/08/23/2
17) CVE-2022-35115
a) Description
IceWarp WebClient DC2 - Update 2 Build 9 (13.0.2.9) was discovered to contain a SQL injection vulnerability via the search parameter at /webmail/server/webmail.php.
b) References
https://veysel-xan.com/CVE-2022-35115.txt
https://support.icewarp.com/hc/en-us/community/posts/4419283857297-DC2-Update-2-Build-10-13-0-2-10-
18) CVE-2022-38664
a) Description
Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job names.
b) References
https://www.jenkins.io/security/advisory/2022-08-23/#SECURITY-2765
http://www.openwall.com/lists/oss-security/2022/08/23/2
19) CVE-2022-34648
a) Description
Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.
b) References
https://patchstack.com/database/vulnerability/uploading-svgwebp-and-ico-files/wordpress-uploading-svg-webp-and-ico-files-plugin-1-0-0-authenticated-stored-cross-site-scripting-xss-vulnerability
https://wordpress.org/plugins/uploading-svgwebp-and-ico-files/#developers
20) CVE-2022-33142
a) Description
Authenticated (subscriber+) Denial Of Service (DoS) vulnerability in WordPlus WordPress Better Messages plugin <= 1.9.10.57 at WordPress.
b) References
https://wordpress.org/plugins/bp-better-messages/#developers
https://patchstack.com/database/vulnerability/bp-better-messages/wordpress-better-messages-plugin-1-9-10-57-denial-of-service-dos-vulnerability
21) CVE-2022-2873
a) Description
An out-of-bounds memory access flaw was found in the Linux kernel Intel’s iSMT SMBus host controller driver in the way a user triggers the I2C_SMBUS_BLOCK_DATA (with the ioctl I2C_SMBUS) with malicious input data. This flaw allows a local user to crash the system.
b) References
https://lore.kernel.org/lkml/20220729093451.551672-1-zheyuma97@gmail.com/T/
22) CVE-2022-2407
a) Description
The WP phpMyAdmin WordPress plugin before 5.2.0.4 does not escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed (for example in multisite setup).
b) References
https://wpscan.com/vulnerability/5be611e8-5b7a-4579-9757-45a4c94a53ca
23) CVE-2022-2392
a) Description
The Lana Downloads Manager WordPress plugin before 1.8.0 is affected by an arbitrary file download vulnerability that can be exploited by users with "Contributor" permissions or higher.
b) References
https://wpscan.com/vulnerability/5001ed18-858e-4c9d-9d7b-a1305fcdf61b
24) CVE-2022-2389
a) Description
The Abandoned Cart Recovery for WooCommerce, Follow Up Emails, Newsletter Builder & Marketing Automation By Autonami WordPress plugin before 2.1.2 does not have authorisation and CSRF checks in one of its AJAX action, allowing any authenticated users, such as subscriber to create automations
b) References
https://wpscan.com/vulnerability/e70f00b7-6251-476e-9297-60af509e6ad9
25) CVE-2022-2375
a) Description
The WP Sticky Button WordPress plugin before 1.4.1 does not have authorisation and CSRF checks when saving its settings, allowing unauthenticated users to update them. Furthermore, due to the lack of escaping in some of them, it could lead to Stored Cross-Site Scripting issues.
b) References
https://wpscan.com/vulnerability/caab1fca-cc6b-45bb-bd0d-f857edd8bb81
26) CVE-2022-2198
a) Description
The WPQA Builder WordPress plugin before 5.7 which is a companion plugin to the Hilmer and Discy , does not check authorization before displaying private messages, allowing any logged in user to read other users private message using the message id, which can easily be brute forced.
b) References
https://wpscan.com/vulnerability/867248f2-d497-4ea8-b3f8-0f2e8aaaa2bd
27) CVE-2022-36261
a) Description
An arbitrary file deletion vulnerability was discovered in taocms 3.0.2, that allows attacker to delete file in server when request url admin.php?action=file&ctrl=del&path=/../../../test.txt.
b) References
https://github.com/chasingboy/cms-pentest/blob/main/taocms-arbitrary-file-deletion-vulnerability.md?by=xboy(topsec)
https://github.com/chasingboy/cms-pentest/blob/main/taocms-arbitrary-file-deletion-vulnerability.md
28) CVE-2022-37223
a) Description
JFinal CMS 5.1.0 is vulnerable to SQL Injection via /jfinal_cms/system/role/list.
b) References
https://github.com/jflyfox/jfinal_cms/issues/49
29) CVE-2022-36009
a) Description
gomatrixserverlib is a Go library for matrix protocol federation. Dendrite is a Matrix homeserver written in Go, an alternative to Synapse. The power level parsing within gomatrixserverlib was failing to parse the `"events_default"` key of the `m.room.power_levels` event, defaulting the event default power level to zero in all cases. Power levels are the matrix terminology for user access level. In rooms where the `"events_default"` power level had been changed, this could result in events either being incorrectly authorised or rejected by Dendrite servers. gomatrixserverlib contains a fix as of commit `723fd49` and Dendrite 0.9.3 has been updated accordingly. Matrix rooms where the `"events_default"` power level has not been changed from the default of zero are not vulnerable. Users are advised to upgrade. There are no known workarounds for this issue.
b) References
https://github.com/matrix-org/gomatrixserverlib/commit/723fd495dde835d078b9f2074b6b62c06dea4575
https://matrix.org/docs/guides/moderation/#power-levels
30) CVE-2022-26363
a) Description
x86 pv: Insufficient care with non-coherent mappings T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen maintains a type reference count for pages, in addition to a regular reference count. This scheme is used to maintain invariants required for Xen's safety, e.g. PV guests may not have direct writeable access to pagetables; updates need auditing by Xen. Unfortunately, Xen's safety logic doesn't account for CPU-induced cache non-coherency; cases where the CPU can cause the content of the cache to be different to the content in main memory. In such cases, Xen's safety logic can incorrectly conclude that the contents of a page is safe.
b) References
https://xenbits.xenproject.org/xsa/advisory-402.tx
Conclusion
Every day, new vulnerabilities are discovered and published on the Internet. These vulnerabilities are quickly used, by malicious people, and affect the security of your systems. Companies must implement countermeasures as soon as possible, and then deploy definitive patches.
About us
Headquarter: 9 rue des colonnes 75002 Paris
Phone: +33134908672
Email: contact@bluepinksecurity.com