CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 0CVE-2022-46391
https://notcve.org/view.php?id=CVE-2022-46391
AWStats 7.x through 7.8 allows XSS in the hostinfo plugin due to printing a response from Net::XWhois without proper checks. AWStats 7.x a 7.8 permite XSS en el complemento hostinfo debido a que se imprime una respuesta de Net::XWhois sin las comprobaciones adecuadas. • https://github.com/eldy/AWStats/pull/226 https://lists.debian.org/debian-lts-announce/2022/12/msg00010.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GRFYH4DE3COMI3LJCOQQXA4FWOABU6Z2 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MYUZIFVB4N3NK4WGNHRNXZKJITCJBJX4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2021-37533 – Apache Commons Net's FTP client trusts the host from PASV response by default
https://notcve.org/view.php?id=CVE-2021-37533
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711. • http://www.openwall.com/lists/oss-security/2022/12/03/1 https://lists.apache.org/thread/o6yn9r9x6s94v97264hmgol1sf48mvx7 https://lists.debian.org/debian-lts-announce/2022/12/msg00038.html https://www.debian.org/security/2022/dsa-5307 https://access.redhat.com/security/cve/CVE-2021-37533 https://bugzilla.redhat.com/show_bug.cgi?id=2169924 • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0CVE-2022-46338
https://notcve.org/view.php?id=CVE-2022-46338
g810-led 0.4.2, a LED configuration tool for Logitech Gx10 keyboards, contained a udev rule to make supported device nodes world-readable and writable, allowing any process on the system to read traffic from keyboards, including sensitive data. g810-led 0.4.2, una herramienta de configuración LED para teclados Logitech Gx10, contenía una regla udev para hacer que los nodos de dispositivos compatibles fueran legibles y escribibles en todo el mundo, permitiendo que cualquier proceso en el sistema leyera el tráfico de los teclados, incluidos los datos sensibles. • https://bugs.debian.org/1024998 https://github.com/MatMoul/g810-led/pull/297 https://lists.debian.org/debian-lts-announce/2022/12/msg00002.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-45442 – Sinatra vulnerable to Reflected File Download attack
https://notcve.org/view.php?id=CVE-2022-45442
Sinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue. Sinatra es un lenguaje de dominio específico para crear aplicaciones web en Ruby. • https://github.com/advisories/GHSA-8x94-hmjh-97hq https://github.com/sinatra/sinatra/commit/ea8fc9495a350f7551b39e3025bfcd06f49f363b https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw https://lists.debian.org/debian-lts-announce/2023/01/msg00005.html https://www.blackhat.com/docs/eu-14/materials/eu-14-Hafif-Reflected-File-Download-A-New-Web-Attack-Vector.pdf https://access.redhat.com/security/cve/CVE-2022-45442 https://bugzilla.redhat.com/show_bug.cgi?id=2153363 • CWE-494: Download of Code Without Integrity Check •
CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-45939 – emacs: ctags local command execution vulnerability
https://notcve.org/view.php?id=CVE-2022-45939
GNU Emacs through 28.2 allows attackers to execute commands via shell metacharacters in the name of a source-code file, because lib-src/etags.c uses the system C library function in its implementation of the ctags program. For example, a victim may use the "ctags *" command (suggested in the ctags documentation) in a situation where the current working directory has contents that depend on untrusted input. GNU Emacs hasta la versión 28.2 permite a los atacantes ejecutar comandos a través de metacaracteres de shell en el nombre de un archivo de código fuente, porque lib-src/etags.c utiliza la función de librería C del sistema en su implementación del programa ctags. Por ejemplo, una víctima puede utilizar el comando "ctags *" (sugerido en la documentación de ctags) en una situación en la que el directorio de trabajo actual tiene contenidos que dependen de entradas que no son de confianza. A flaw was found in Etags, the Ctags implementation of Emacs. • https://git.savannah.gnu.org/cgit/emacs.git/commit/?id=d48bb4874bc6cd3e69c7a15fc3c91cc141025c51 https://lists.debian.org/debian-lts-announce/2022/12/msg00046.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FOSK3J7BBAEI4IITW2DRUKLQYUZYKH6Y https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GOXIH2FDEQJEAARE52C3GHTLGQFBYPIB https://www.debian.org/security/2023/dsa-5314 https://access.redhat.com/security/cve/CVE-2022-45939 https://bugzill • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •