CVSS: 6.8EPSS: 0%CPEs: 8EXPL: 1CVE-2022-21702 – Cross site scripting in Grafana proxy
https://notcve.org/view.php?id=CVE-2022-21702
Grafana is an open-source platform for monitoring and observability. In affected versions an attacker could serve HTML content thru the Grafana datasource or plugin proxy and trick a user to visit this HTML page using a specially crafted link and execute a Cross-site Scripting (XSS) attack. The attacker could either compromise an existing datasource for a specific Grafana instance or either set up its own public service and instruct anyone to set it up in their Grafana instance. To be impacted, all of the following must be applicable. For the data source proxy: A Grafana HTTP-based datasource configured with Server as Access Mode and a URL set, the attacker has to be in control of the HTTP server serving the URL of above datasource, and a specially crafted link pointing at the attacker controlled data source must be clicked on by an authenticated user. • https://github.com/grafana/grafana/commit/27726868b3d7c613844b55cd209ca93645c99b85 https://github.com/grafana/grafana/security/advisories/GHSA-xc3p-28hw-q24g https://grafana.com/blog/2022/02/08/grafana-7.5.15-and-8.3.5-released-with-moderate-severity-security-fixes https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2PFW6Q2LXXWTFRTMTRN4ZGADFRQPKJ3D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36GUEPA5TPSC57DZTPYPBL6T7UPQ2FRH https://lists.fedorapr • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-0204
https://notcve.org/view.php?id=CVE-2022-0204
A heap overflow vulnerability was found in bluez in versions prior to 5.63. An attacker with local network access could pass specially crafted files causing an application to halt or crash, leading to a denial of service. Se encontró una vulnerabilidad de desbordamiento de pila en bluez en versiones anteriores a la 5.63. Un atacante con acceso a la red local podría pasar archivos especialmente diseñados causando a una aplicación detenerse o bloquearse, conllevando a una denegación de servicio • https://bugzilla.redhat.com/show_bug.cgi?id=2039807 https://github.com/bluez/bluez/commit/591c546c536b42bef696d027f64aa22434f8c3f0 https://github.com/bluez/bluez/security/advisories/GHSA-479m-xcq5-9g2q https://lists.debian.org/debian-lts-announce/2022/10/msg00026.html https://security.gentoo.org/glsa/202209-16 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-190: Integer Overflow or Wraparound •
CVSS: 8.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-0523 – Use After Free in radareorg/radare2
https://notcve.org/view.php?id=CVE-2022-0523
Use After Free in GitHub repository radareorg/radare2 prior to 5.6.2. Una Desreferencia de Puntero Caducada en el repositorio GitHub radareorg/radare2 versiones anteriores a 5.6.2 • https://github.com/radareorg/radare2/commit/35482cb760db10f87a62569e2f8872dbd95e9269 https://huntr.dev/bounties/9d8d6ae0-fe00-40b9-ae1e-b0e8103bac69 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZTIMAS53YT66FUS4QHQAFRJOBMUFG6D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E6YBRQ3UCFWJVSOYIKPVUDASZ544TFND • CWE-416: Use After Free •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-23613 – Privilege escalation on xrdp
https://notcve.org/view.php?id=CVE-2022-23613
xrdp is an open source remote desktop protocol (RDP) server. In affected versions an integer underflow leading to a heap overflow in the sesman server allows any unauthenticated attacker which is able to locally access a sesman server to execute code as root. This vulnerability has been patched in version 0.9.18.1 and above. Users are advised to upgrade. There are no known workarounds. xrdp es un servidor de protocolo de escritorio remoto (RDP) de código abierto. • https://github.com/neutrinolabs/xrdp/commit/4def30ab8ea445cdc06832a44c3ec40a506a0ffa https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-8h98-h426-xf32 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K5ONRGARKHGFU2CIEQ7E6M6VJZEM5XWW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3XGFJNQMNXHBD3J7CBM4YURYEDXROWZ • CWE-191: Integer Underflow (Wrap or Wraparound) •
CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 1CVE-2022-0115 – Chrome storage::BlobBuilderFromStream Uninitializaed On-Stack Pointer
https://notcve.org/view.php?id=CVE-2022-0115
Uninitialized use in File API in Google Chrome prior to 97.0.4692.71 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Un uso no inicializado en File API en Google Chrome versiones anteriores a 97.0.4692.71, permitía a un atacante remoto llevar a cabo un acceso a la memoria fuera de límites por medio de una página HTML diseñada Chrome suffers from making use of an uninitialized on-stack pointer in storage::BlobBuilderFromStream. • https://chromereleases.googleblog.com/2022/01/stable-channel-update-for-desktop.html https://crbug.com/1268903 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5PAGL5M2KGYPN3VEQCRJJE6NA7D5YG5X https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KQJB6ZPRLKV6WCMX2PRRRQBFAOXFBK6B https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRWRAXAFR3JR7XCFWTHC2KALSZKWACCE • CWE-908: Use of Uninitialized Resource •