CVSS: 7.5EPSS: 0%CPEs: 56EXPL: 0CVE-2022-24417
https://notcve.org/view.php?id=CVE-2022-24417
26 May 2022 — A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution during SMM. • https://www.dell.com/support/kbdoc/en-us/000199285/dsa-2022-095 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-25793 – Autodesk 3DS Max ABC File Parsing Stack-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-25793
26 May 2022 — This vulnerability may allow arbitrary code execution on affected installations of Autodesk 3ds Max. • https://www.autodesk.com/trust/security-advisories/adsk-sa-2022-0006 • CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 9.8EPSS: 0%CPEs: 5EXPL: 0CVE-2022-21831 – Debian Security Advisory 5372-1
https://notcve.org/view.php?id=CVE-2022-21831
26 May 2022 — A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments. • https://github.com/advisories/GHSA-w749-p3v6-hccq • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 1CVE-2022-29221 – PHP Code Injection by malicious block or filename in Smarty
https://notcve.org/view.php?id=CVE-2022-29221
24 May 2022 — Smarty is a template engine for PHP, facilitating the separation of presentation (HTML/CSS) from application logic. Prior to versions 3.1.45 and 4.1.1, template authors could inject php code by choosing a malicious {block} name or {include} file name. Sites that cannot fully trust template authors should upgrade to versions 3.1.45 or 4.1.1 to receive a patch for this issue. There are currently no known workarounds. Smarty es un motor de plantillas para PHP, que facilita la separación de la presentación (HTM... • https://github.com/sbani/CVE-2022-29221-PoC • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.9EPSS: 0%CPEs: 2EXPL: 0CVE-2022-1467 – AVEVA InTouch Access Anywhere Exposure of Resource to Wrong Sphere
https://notcve.org/view.php?id=CVE-2022-1467
23 May 2022 — Windows OS can be configured to overlay a “language bar” on top of any application. When this OS functionality is enabled, the OS language bar UI will be viewable in the browser alongside the AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere applications. It is possible to manipulate the Windows OS language bar to launch an OS command prompt, resulting in a context-escape from application into OS. El Sistema Operativo Windows puede configurarse para superponer "language bar" sobre cualquier apli... • https://www.aveva.com/en/support-and-success/cyber-security-updates • CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 1CVE-2022-29216 – Code injection in `saved_model_cli` in TensorFlow
https://notcve.org/view.php?id=CVE-2022-29216
20 May 2022 — Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, TensorFlow's `saved_model_cli` tool is vulnerable to a code injection. • https://github.com/tensorflow/tensorflow/blob/f3b9bf4c3c0597563b289c0512e98d4ce81f886e/tensorflow/python/tools/saved_model_cli.py#L566-L574 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2021-30028
https://notcve.org/view.php?id=CVE-2021-30028
20 May 2022 — SOOTEWAY Wi-Fi Range Extender v1.5 was discovered to use default credentials (the admin password for the admin account) to access the TELNET service, allowing attackers to erase/read/write the firmware remotely. Se ha detectado que SOOTEWAY Wi-Fi Range Extender versión v1.5, usa credenciales por defecto (la contraseña de la cuenta de administrador) para acceder al servicio TELNET, lo que permite a atacantes borrar/leer/escribir el firmware de forma remota • https://blog-ssh3ll.medium.com/acexy-wireless-n-wifi-repeater-vulnerabilities-8bd5d14a2990 • CWE-287: Improper Authentication •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-43728
https://notcve.org/view.php?id=CVE-2021-43728
20 May 2022 — Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized SSID parameter. Se ha detectado que Pix-Link MiNi Router versión 28K.MiniRouter.20190211, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenada debido a un parámetro SSID no saneado • https://blog-ssh3ll.medium.com/acexy-wireless-n-wifi-repeater-vulnerabilities-8bd5d14a2990 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 1CVE-2021-43729
https://notcve.org/view.php?id=CVE-2021-43729
20 May 2022 — Pix-Link MiNi Router 28K.MiniRouter.20190211 was discovered to contain a stored cross-site scripting (XSS) vulnerability due to an unsanitized Security Key parameter. Se ha detectado que Pix-Link MiNi Router versión 28K.MiniRouter.20190211, contiene una vulnerabilidad de tipo cross-site scripting (XSS) almacenado debido a un parámetro de clave de seguridad no saneado • https://blog-ssh3ll.medium.com/acexy-wireless-n-wifi-repeater-vulnerabilities-8bd5d14a2990 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-1423
https://notcve.org/view.php?id=CVE-2022-1423
19 May 2022 — Improper access control in the CI/CD cache mechanism in GitLab CE/EE affecting all versions starting from 1.0.2 before 14.8.6, all versions from 14.9.0 before 14.9.4, and all versions from 14.10.0 before 14.10.1 allows a malicious actor with Developer privileges to perform cache poisoning leading to arbitrary code execution in protected branches Un control de acceso inapropiado en el mecanismo de caché CI/CD en GitLab CE/EE afectando a todas las versiones a partir de la 1.0.2 anteriores a 14.8.6, tod... • https://gitlab.com/gitlab-org/cves/-/blob/master/2022/CVE-2022-1423.json • CWE-862: Missing Authorization •