CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-50044
https://notcve.org/view.php?id=CVE-2023-50044
Cesanta MJS 2.20.0 has a getprop_builtin_foreign out-of-bounds read if a Built-in API name occurs in a substring of an input string. La vulnerabilidad de desbordamiento de búfer en Cesanta MJS versión 2.22.0 permite a los atacantes ejecutar código arbitrario, provocar una denegación de servicio (DoS) y obtener información confidencial a través de un fallo de segmentación que puede ocurrir en getprop_builtin_foreign cuando la cadena de entrada incluye un nombre de API integradas. • https://github.com/cesanta/mjs/issues/254 https://github.com/cesanta/mjs/pull/255 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43338
https://notcve.org/view.php?id=CVE-2023-43338
Cesanta mjs v2.20.0 was discovered to contain a function pointer hijacking vulnerability via the function mjs_get_ptr(). This vulnerability allows attackers to execute arbitrary code via a crafted input. Se descubrió que Cesanta mjs v2.20.0 contenía una vulnerabilidad de secuestro de puntero de función a través de la función mjs_get_ptr(). Esta vulnerabilidad permite a los atacantes ejecutar código arbitrario a través de una entrada manipulada. • https://github.com/cesanta/mjs/issues/250 • CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-25887
https://notcve.org/view.php?id=CVE-2020-25887
Buffer overflow in mg_resolve_from_hosts_file in Mongoose 6.18, when reading from a crafted hosts file. Desbordamiento del búfer en mg_resolve_from_hosts_file en Mongoose 6.18, cuando se lee de un archivo hosts manipulado. • https://github.com/cesanta/mongoose/issues/1140 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2905 – Cesanta Mongoose MQTT Message Parsing Heap Overflow
https://notcve.org/view.php?id=CVE-2023-2905
Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11. • https://github.com/cesanta/mongoose/pull/2274 https://github.com/cesanta/mongoose/releases/tag/7.11 https://takeonme.org/cves/CVE-2023-2905.html • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34188
https://notcve.org/view.php?id=CVE-2023-34188
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests. • https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server https://github.com/cesanta/mongoose/commit/4663090a8fb036146dfe77718cff612b0101cb0f https://github.com/cesanta/mongoose/compare/7.9...7.10 https://github.com/cesanta/mongoose/pull/2197 •