CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-24847 – Improper Input Validation in GeoServer
https://notcve.org/view.php?id=CVE-2022-24847
13 Apr 2022 — The GeoServer security mechanism can perform an unchecked JNDI lookup, which in turn can be used to perform class deserialization and result in arbitrary code execution. • https://github.com/geoserver/geoserver/security/advisories/GHSA-4pm3-f52j-8ggh • CWE-20: Improper Input Validation CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 8.8EPSS: 0%CPEs: 7EXPL: 0CVE-2022-24828 – Missing input validation can lead to command execution in composer
https://notcve.org/view.php?id=CVE-2022-24828
13 Apr 2022 — Integrators using Composer code to call `VcsDriver::getFileContent` can have a code injection vulnerability if the user can control the `$file` or `$identifier` argument. • https://github.com/composer/composer/commit/2c40c53637c5c7e43fff7c09d3d324d632734709 • CWE-20: Improper Input Validation CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 8.2EPSS: 0%CPEs: 3EXPL: 1CVE-2022-24818 – Unchecked JNDI lookups in GeoTools
https://notcve.org/view.php?id=CVE-2022-24818
13 Apr 2022 — The GeoTools library has a number of data sources that can perform unchecked JNDI lookups, which in turn can be used to perform class deserialization and result in arbitrary code execution. • https://github.com/mbadanoiu/CVE-2022-24818 • CWE-20: Improper Input Validation CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 10.0EPSS: 96%CPEs: 1EXPL: 1CVE-2022-24816 – OSGeo GeoServer JAI-EXT Code Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-24816
13 Apr 2022 — Los usuarios que no puedan actualizar pueden anular la capacidad de compilar scripts Jiffle desde la aplicación final, al remover janino-x.y.z.jar del classpath OSGeo GeoServer JAI-EXT contains a code injection vulnerability that, when programs use jt-jiffle and allow Jiffle script to be provided via network request, could allow remote code execution. • https://github.com/c1ph3rbyt3/CVE-2022-24816 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.0EPSS: 0%CPEs: 1EXPL: 1CVE-2022-28052
https://notcve.org/view.php?id=CVE-2022-28052
13 Apr 2022 — Directory Traversal vulnerability in file cn/roothub/store/FileSystemStorageService in function store in Roothub 2.6.0 allows remote attackers with low privlege to arbitrarily upload files via /common/upload API, which could lead to remote arbitrary code execution. • https://github.com/Hyperkopite/Roothub_vulns/blob/main/arbitrary%20file%20upload.md • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-39798
https://notcve.org/view.php?id=CVE-2021-39798
12 Apr 2022 — In Bitmap_createFromParcel of Bitmap.cpp, there is a possible arbitrary code execution due to a missing bounds check. • https://source.android.com/security/bulletin/2022-04-01 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 97%CPEs: 13EXPL: 28CVE-2022-22954 – VMware Workspace ONE Access and Identity Manager Server-Side Template Injection Vulnerability
https://notcve.org/view.php?id=CVE-2022-22954
11 Apr 2022 — VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution. VMware Workspace ONE Access y Identity Manager contienen una vulnerabilidad de ejecución de código remota debido a una inyección de plantillas del lado del servidor. Un actor malicioso con acceso a la red puede desencadenar una inyección de plantillas d... • https://packetstorm.news/files/id/166935 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.3EPSS: 0%CPEs: 4EXPL: 0CVE-2022-27837
https://notcve.org/view.php?id=CVE-2022-27837
11 Apr 2022 — A vulnerability using PendingIntent in Accessibility prior to version 12.5.3.2 in Android R(11.0) and 13.0.1.1 in Android S(12.0) allows attacker to access the file with system privilege. Una vulnerabilidad que usa PendingIntent en Accessibility versiones anteriores a 12.5.3.2 en Android R(11.0) y 13.0.1.1 en Android S(12.0) permite a atacantes acceder al archivo con privilegios system • https://security.samsungmobile.com/serviceWeb.smsb?year=2022&month=2 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-26092
https://notcve.org/view.php?id=CVE-2022-26092
11 Apr 2022 — Improper boundary check in Quram Agif library prior to SMR Apr-2022 Release 1 allows arbitrary code execution. • https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=4 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 5%CPEs: 1EXPL: 2CVE-2021-40219
https://notcve.org/view.php?id=CVE-2021-40219
11 Apr 2022 — Bolt CMS <= 4.2 is vulnerable to Remote Code Execution. Unsafe theme rendering allows an authenticated attacker to edit theme to inject server-side template injection that leads to remote code execution. Bolt CMS versiones anteriores a 4.2 incluyéndola, es vulnerable a una ejecución de código remota. El renderizado no seguro del tema permite a un atacante autenticado editar el tema para inyectar la plantilla del lado del servidor que conlleva a una ejecución de código remota • http://boltcms.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •