CVSS: 8.0EPSS: 23%CPEs: 4EXPL: 0CVE-2022-21662 – Stored XSS in WordPress
https://notcve.org/view.php?id=CVE-2022-21662
06 Jan 2022 — WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 6%CPEs: 6EXPL: 0CVE-2022-21664 – SQL injection in WordPress
https://notcve.org/view.php?id=CVE-2022-21664
06 Jan 2022 — WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.1EPSS: 0%CPEs: 10EXPL: 1CVE-2021-4002 – kernel: possible leak or coruption of data residing on hugetlbfs
https://notcve.org/view.php?id=CVE-2021-4002
06 Jan 2022 — A memory leak flaw in the Linux kernel's hugetlbfs memory usage was found in the way the user maps some regions of memory twice using shmget() which are aligned to PUD alignment with the fault of some of the memory pages. A local user could use this flaw to get unauthorized access to some data. Se encontró un fallo de pérdida de memoria en el uso de memoria hugetlbfs del kernel de Linux en la forma en que el usuario mapea algunas regiones de memoria dos veces usando shmget() que están alineadas a la alineac... • https://bugzilla.redhat.com/show_bug.cgi?id=2025726 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-459: Incomplete Cleanup •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 1CVE-2022-21663 – Authenticated Object Injection in Multisites in WordPress
https://notcve.org/view.php?id=CVE-2022-21663
06 Jan 2022 — WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://blog.sonarsource.com/wordpress-object-injection-vulnerability • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28713 – Ubuntu Security Notice USN-6014-1
https://notcve.org/view.php?id=CVE-2021-28713
05 Jan 2022 — Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain... • https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28712 – Debian Security Advisory 5096-1
https://notcve.org/view.php?id=CVE-2021-28712
05 Jan 2022 — Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain... • https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28711 – Ubuntu Security Notice USN-5337-1
https://notcve.org/view.php?id=CVE-2021-28711
05 Jan 2022 — Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain... • https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2021-3842 – Inefficient Regular Expression Complexity in nltk/nltk
https://notcve.org/view.php?id=CVE-2021-3842
04 Jan 2022 — nltk is vulnerable to Inefficient Regular Expression Complexity nltk es vulnerable a una Complejidad de Expresión Regular Ineficiente It was discovered that NLTK contained a regex that is susceptible to catastrophic backtracking. An attacker could possibly use this issue to cause a denial of service. • https://github.com/nltk/nltk/commit/2a50a3edc9d35f57ae42a921c621edc160877f4d • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41141 – Missing release of locks in PJSIP
https://notcve.org/view.php?id=CVE-2021-41141
04 Jan 2022 — PJSIP is a free and open source multimedia communication library written in the C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. In various parts of PJSIP, when error/failure occurs, it is found that the function returns without releasing the currently held locks. This could result in a system deadlock, which cause a denial of service for the users. No release has yet been made which contains the linked fix commit. All versions up to an including 2.11.1 are affect... • https://github.com/pjsip/pjproject/commit/1aa2c0e0fb60a1b0bf793e0d834073ffe50fb196 • CWE-667: Improper Locking •
CVSS: 7.1EPSS: 0%CPEs: 4EXPL: 1CVE-2021-45972
https://notcve.org/view.php?id=CVE-2021-45972
01 Jan 2022 — The giftrans function in giftrans 1.12.2 contains a stack-based buffer overflow because a value inside the input file determines the amount of data to write. This allows an attacker to overwrite up to 250 bytes outside of the allocated buffer with arbitrary data. La función giftrans en giftrans versión 1.12.2, contiene un desbordamiento de búfer en la región stack de la memoria porque un valor dentro del archivo de entrada determina la cantidad de datos a escribir. Esto permite a un atacante sobrescribir ha... • http://web.archive.org/web/20150801185019 • CWE-1284: Improper Validation of Specified Quantity in Input •