CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 0CVE-2022-30785
https://notcve.org/view.php?id=CVE-2022-30785
A file handle created in fuse_lib_opendir, and later used in fuse_lib_readdir, enables arbitrary memory read and write operations in NTFS-3G through 2021.8.22 when using libfuse-lite. Un manejador de archivos creado en fuse_lib_opendir, y posteriormente usado en fuse_lib_readdir, permite realizar operaciones de lectura y escritura en memoria arbitrarias en NTFS-3G versiones hasta 2021.8.22 cuando es usado libfuse-lite • http://www.openwall.com/lists/oss-security/2022/06/07/4 https://github.com/tuxera/ntfs-3g/releases https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-6mv4-4v73-xw58 https://lists.debian.org/debian-lts-announce/2022/06/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECDCISL24TYH4CTDFCUVF24WAKRSYF7F https://lists.fedoraprojec •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2022-27777 – tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers
https://notcve.org/view.php?id=CVE-2022-27777
A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes. Una vulnerabilidad de tipo XSS en Action View tag helpers versiones posteriores a 5.2.0 incluyéndola y versiones anteriores a 5.2.0, que permitiría a un atacante inyectar contenido si es capaz de controlar la entrada en atributos específicos A flaw was found in rubygem-actionview when untrusted data such as the hash key for tag attributes are not properly escaped. This flaw allows an attacker to perform a Cross-site scripting attack. • https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534 https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2022-27777 https://bugzilla.redhat.com/show_bug.cgi?id=2080296 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.7EPSS: 0%CPEs: 6EXPL: 0CVE-2022-30783
https://notcve.org/view.php?id=CVE-2022-30783
An invalid return code in fuse_kern_mount enables intercepting of libfuse-lite protocol traffic between NTFS-3G and the kernel in NTFS-3G through 2021.8.22 when using libfuse-lite. Un código de retorno no válido en fuse_kern_mount permite interceptar el tráfico del protocolo libfuse-lite entre NTFS-3G y el kernel en NTFS-3G versiones hasta 2021.8.22 cuando es usado libfuse-lite • http://www.openwall.com/lists/oss-security/2022/06/07/4 https://github.com/tuxera/ntfs-3g/releases https://github.com/tuxera/ntfs-3g/security/advisories/GHSA-6mv4-4v73-xw58 https://lists.debian.org/debian-lts-announce/2022/06/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7JPX6OUCQKZX4PN5DQPVDUFZCOOZUX7Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ECDCISL24TYH4CTDFCUVF24WAKRSYF7F https://lists.fedoraprojec • CWE-252: Unchecked Return Value •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-1851 – Out-of-bounds Read in vim/vim
https://notcve.org/view.php?id=CVE-2022-1851
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2. Una Lectura Fuera de Límites en el repositorio GitHub vim/vim versiones anteriores a 8.2 • http://seclists.org/fulldisclosure/2022/Oct/28 http://seclists.org/fulldisclosure/2022/Oct/41 https://github.com/vim/vim/commit/78d52883e10d71f23ab72a3d8b9733b00da8c9ad https://huntr.dev/bounties/f8af901a-9a46-440d-942a-8f815b59394d https://lists.debian.org/debian-lts-announce/2022/06/msg00014.html https://lists.debian.org/debian-lts-announce/2022/11/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OZSLFIKFYU5Y2KM5EJKQNYHWRUBDQ4GJ https://lists.fedoraproject& • CWE-125: Out-of-bounds Read •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-29221 – PHP Code Injection by malicious block or filename in Smarty
https://notcve.org/view.php?id=CVE-2022-29221
Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. Smarty es un motor de plantillas para PHP, que facilita la separación de la presentación (HTML/CSS) de la lógica de la aplicación. • https://github.com/sbani/CVE-2022-29221-PoC https://github.com/smarty-php/smarty/commit/64ad6442ca1da31cefdab5c9874262b702cccddd https://github.com/smarty-php/smarty/releases/tag/v3.1.45 https://github.com/smarty-php/smarty/releases/tag/v4.1.1 https://github.com/smarty-php/smarty/security/advisories/GHSA-634x-pc3q-cf4c https://lists.debian.org/debian-lts-announce/2022/05/msg00044.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRAJVDRGCIY5UZ2PQHKDTT7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •