CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21458
https://notcve.org/view.php?id=CVE-2022-21458
19 Apr 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Navigation Pages, Portal, Query). Supported versions that are affected are 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impac... • https://www.oracle.com/security-alerts/cpuapr2022.html •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-21456
https://notcve.org/view.php?id=CVE-2022-21456
19 Apr 2022 — Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Navigation Pages, Portal, Query). Supported versions that are affected are 8.58 and 8.59. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impac... • https://www.oracle.com/security-alerts/cpuapr2022.html •
CVSS: 5.4EPSS: 0%CPEs: 19EXPL: 0CVE-2022-24728 – Cross-site Scripting in CKEditor4
https://notcve.org/view.php?id=CVE-2022-24728
16 Mar 2022 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content sanitization, which could result in executing JavaScript code. This problem has been patched in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 19EXPL: 0CVE-2022-24729 – Regular expression Denial of Service in dialog plugin
https://notcve.org/view.php?id=CVE-2022-24729
16 Mar 2022 — CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the `dialog` plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a browser tab freeze. A patch is available in version 4.18.0. There are currently no known workarounds. • https://ckeditor.com/cke4/release/CKEditor-4.18.0 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 77EXPL: 2CVE-2020-36518 – jackson-databind: denial of service via a large depth of nested objects
https://notcve.org/view.php?id=CVE-2020-36518
11 Mar 2022 — jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. jackson-databind versiones anteriores a 2.13.0, permite una excepción Java StackOverflow y una denegación de servicio por medio de una gran profundidad de objetos anidados A flaw was found in the Jackson Databind package. This cause of the issue is due to a Java StackOverflow exception and a denial of service via a significant depth of nested objects. Red Hat JBoss Enterprise Appli... • https://github.com/ghillert/boot-jackson-cve • CWE-400: Uncontrolled Resource Consumption CWE-787: Out-of-bounds Write •
CVSS: 7.4EPSS: 0%CPEs: 17EXPL: 1CVE-2021-44533 – nodejs: Incorrect handling of certificate subject and issuer fields
https://notcve.org/view.php?id=CVE-2021-44533
24 Feb 2022 — Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulner... • https://hackerone.com/reports/1429694 • CWE-295: Improper Certificate Validation •
CVSS: 7.4EPSS: 0%CPEs: 16EXPL: 1CVE-2021-44532 – nodejs: Certificate Verification Bypass via String Injection
https://notcve.org/view.php?id=CVE-2021-44532
24 Feb 2022 — Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This beha... • https://hackerone.com/reports/1429694 • CWE-295: Improper Certificate Validation CWE-296: Improper Following of a Certificate's Chain of Trust •
CVSS: 7.4EPSS: 0%CPEs: 15EXPL: 0CVE-2021-44531 – nodejs: Improper handling of URI Subject Alternative Names
https://notcve.org/view.php?id=CVE-2021-44531
24 Feb 2022 — Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This ... • https://hackerone.com/reports/1429694 • CWE-295: Improper Certificate Validation •
CVSS: 8.2EPSS: 0%CPEs: 16EXPL: 0CVE-2022-21824 – nodejs: Prototype pollution via console.table properties
https://notcve.org/view.php?id=CVE-2022-21824
24 Feb 2022 — Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the objec... • https://hackerone.com/reports/1431042 • CWE-471: Modification of Assumed-Immutable Data (MAID) CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •
CVSS: 5.9EPSS: 0%CPEs: 35EXPL: 0CVE-2021-4160 – BN_mod_exp may produce incorrect results on MIPS
https://notcve.org/view.php?id=CVE-2021-4160
28 Jan 2022 — There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because ... • https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf •