CVSS: 7.8EPSS: 3%CPEs: 1EXPL: 0CVE-2022-26419 – Rockwell Automation Studio 5000 Logix Designer Code Injection
https://notcve.org/view.php?id=CVE-2022-26419
01 Apr 2022 — Omron CX-Position (versions 2.5.3 and prior) is vulnerable to multiple stack-based buffer overflow conditions while parsing a specific project file, which may allow an attacker to locally execute arbitrary code. Omron CX-Position (versiones 2.5.3 y anteriores) es vulnerable a múltiples condiciones de desbordamiento de búfer en la región stack de la memoria mientras analiza un archivo de proyecto específico, lo que puede permitir a un atacante ejecutar localmente código arbitrario This vulnerability allows r... • https://www.cisa.gov/uscert/ics/advisories/icsa-22-088-02 • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.7EPSS: 0%CPEs: 10EXPL: 0CVE-2022-1159 – Rockwell Automation Studio 5000 Logix Designer Code Injection
https://notcve.org/view.php?id=CVE-2022-1159
01 Apr 2022 — Rockwell Automation Studio 5000 Logix Designer (all versions) are vulnerable when an attacker who achieves administrator access on a workstation running Studio 5000 Logix Designer could inject controller code undetectable to a user. Rockwell Automation Studio 5000 Logix Designer (todas las versiones) son vulnerables cuando un atacante que logra acceso de administrador en una estación de trabajo que ejecuta Studio 5000 Logix Designer podría inyectar código de controlador no detectable para un usuario • https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-07 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2021-39908
https://notcve.org/view.php?id=CVE-2021-39908
01 Apr 2022 — In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code viewer UI. En todas las versiones de GitLab CE/EE a partir de la 0.8.0 antes de la 14.2.6, en todas las versiones a partir de la 14.3 antes de la 14.3.4, y en todas las versiones a partir de la 14.4 antes de la 14.... • https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39908.json • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 97%CPEs: 97EXPL: 81CVE-2022-22965 – Spring Framework JDK 9+ Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-22965
01 Apr 2022 — A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. Una aplicación Spring MVC o Spring WebFlux que es ejecutada en JDK 9+ puede ser ... • https://packetstorm.news/files/id/167011 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-23247
https://notcve.org/view.php?id=CVE-2021-23247
01 Apr 2022 — Allows remote attacke0rs to gain arbitrary code execution in quick game engine Una vulnerabilidad de inyección de comandos encontrada en quick game engine permite código remoto arbitrario en la aplicación rápida. • https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-1501448054614794240 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 9.8EPSS: 97%CPEs: 47EXPL: 32CVE-2022-22963 – VMware Tanzu Spring Cloud Function Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2022-22963
31 Mar 2022 — In Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions, when using routing functionality it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources. En Spring Cloud Function versiones 3.1.6, 3.2.2 y versiones anteriores no soportadas, cuando es usada la funcionalidad routing es posible que un usuario proporcione un SpEL especialmente diseñado como expresión de enrutamiento que puede resul... • https://packetstorm.news/files/id/173430 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-22996 – SanDisk Professional G-RAID 4/8 Software Utility, Privilege Escalation
https://notcve.org/view.php?id=CVE-2022-22996
30 Mar 2022 — Successful exploitation could lead to arbitrary code execution in the context of the system user. • https://www.westerndigital.com/support/product-security/wdc-22007-sandisk-professional-g-raid-4-8-software-utility-setup-for-windows-privilege-escalation • CWE-427: Uncontrolled Search Path Element •
CVSS: 5.6EPSS: 0%CPEs: 1EXPL: 1CVE-2022-1172 – Null Pointer Dereference Caused Segmentation Fault in gpac/gpac
https://notcve.org/view.php?id=CVE-2022-1172
30 Mar 2022 — Una Desreferencia de Puntero Null causó un fallo de segmentación en el repositorio de GitHub gpac/gpac versiones anteriores a 2.1.0-DEV Multiple vulnerabilities have been discovered in GPAC, the worst of which could lead to arbitrary code execution. • https://github.com/gpac/gpac/commit/55a183e6b8602369c04ea3836e05436a79fbc7f8 • CWE-476: NULL Pointer Dereference •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2021-43097
https://notcve.org/view.php?id=CVE-2021-43097
28 Mar 2022 — A Server-side Template Injection (SSTI) vulnerability exists in bbs 5.3 in TemplateManageAction.javawhich could let a malicoius user execute arbitrary code. Se presenta una vulnerabilidad de inyección de plantillas en el lado del servidor (SSTI) en bbs versión 5.3, en el archivoTemplateManageAction.java que podría permitir a un usuario malicioso ejecutar código arbitrario • https://github.com/diyhi/bbs/issues/51 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-26255
https://notcve.org/view.php?id=CVE-2022-26255
27 Mar 2022 — Clash for Windows v0.19.8 was discovered to allow arbitrary code execution via a crafted payload injected into the Proxies name column. • https://github.com/Fndroid/clash_for_windows_pkg/issues/2710 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •