CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 1CVE-2021-24962 – WordPress File Upload < 4.16.3 - Contributor+ Path Traversal to RCE
https://notcve.org/view.php?id=CVE-2021-24962
01 Mar 2022 — The WordPress File Upload Free and Pro WordPress plugins before 4.16.3 allow users with a role as low as Contributor to perform path traversal via a shortcode argument, which can then be used to upload a PHP code disguised as an image inside the auto-loaded directory of the plugin, resulting in arbitrary code execution. • https://plugins.trac.wordpress.org/changeset/2677722 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-24442
https://notcve.org/view.php?id=CVE-2022-24442
25 Feb 2022 — JetBrains YouTrack before 2021.4.40426 was vulnerable to SSTI (Server-Side Template Injection) via FreeMarker templates. JetBrains YouTrack versiones anteriores a 2021.4.40426, era vulnerable a un ataque de tipo SSTI (Server-Side Template Injection) por medio de plantillas FreeMarker. • https://github.com/mbadanoiu/CVE-2022-24442 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 12EXPL: 0CVE-2021-22430
https://notcve.org/view.php?id=CVE-2021-22430
25 Feb 2022 — Successful exploitation of this vulnerability may cause code injection. • https://consumer.huawei.com/en/support/bulletin/2021/6 •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2021-22395
https://notcve.org/view.php?id=CVE-2021-22395
25 Feb 2022 — There is a code injection vulnerability in smartphones. • https://consumer.huawei.com/en/support/bulletin/2021/7 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-21209 – ICSA-22-055-01 FATEK Automation FvDesigner
https://notcve.org/view.php?id=CVE-2022-21209
25 Feb 2022 — The affected product is vulnerable to an out-of-bounds read while processing project files, which allows an attacker to craft a project file that would allow arbitrary code execution. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-055-01 • CWE-125: Out-of-bounds Read •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23985 – ICSA-22-055-01 FATEK Automation FvDesigner
https://notcve.org/view.php?id=CVE-2022-23985
25 Feb 2022 — The affected product is vulnerable to an out-of-bounds write while processing project files, which allows an attacker to craft a project file that would allow arbitrary code execution. • https://www.cisa.gov/uscert/ics/advisories/icsa-22-055-01 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2022-23810
https://notcve.org/view.php?id=CVE-2022-23810
24 Feb 2022 — Template injection (Improper Neutralization of Special Elements Used in a Template Engine) vulnerability in a-blog cms Ver.2.8.x series versions prior to Ver.2.8.75, Ver.2.9.x series versions prior to Ver.2.9.40, Ver.2.10.x series versions prior to Ver.2.10.44, Ver.2.11.x series versions prior to Ver.2.11.42, and Ver.3.0.x series versions prior to Ver.3.0.1 allows a remote authenticated attacker to obtain an arbitrary file on the server via unspecified vectors. Una vulnerabilidad de inyección de plantillas ... • https://developer.a-blogcms.jp/blog/news/security-202202.html • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-24295
https://notcve.org/view.php?id=CVE-2022-24295
21 Feb 2022 — Okta Advanced Server Access Client for Windows prior to version 1.57.0 was found to be vulnerable to command injection via a specially crafted URL. Se ha detectado que Okta Advanced Server Access Client para Windows versiones anteriores a 1.57.0, es vulnerable a una inyección de comandos por medio de una URL especialmente diseñada • https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2022-24295 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 9%CPEs: 1EXPL: 2CVE-2021-25003 – WPCargo < 6.9.0 - Unauthenticated RCE
https://notcve.org/view.php?id=CVE-2021-25003
21 Feb 2022 — The WPCargo Track & Trace WordPress plugin before 6.9.0 contains a file which could allow unauthenticated attackers to write a PHP file anywhere on the web server, leading to RCE El plugin WPCargo Track & Trace de WordPress versiones anteriores a 6.9.0, contiene un archivo que podría permitir a atacantes no autenticados escribir un archivo PHP en cualquier lugar del servidor web, conllevando a una vulnerabilidad de tipo RCE • https://github.com/biulove0x/CVE-2021-25003 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 96%CPEs: 1EXPL: 6CVE-2022-23642 – Code Injection in Sourcegraph
https://notcve.org/view.php?id=CVE-2022-23642
18 Feb 2022 — Sourcegraph is a code search and navigation engine. Sourcegraph prior to version 3.37 is vulnerable to remote code execution in the `gitserver` service. The service acts as a git exec proxy, and fails to properly restrict calling `git config`. This allows an attacker to set the git `core.sshCommand` option, which sets git to use the specified command instead of ssh when they need to connect to a remote system. Exploitation of this vulnerability depends on how Sourcegraph is deployed. • https://packetstorm.news/files/id/167741 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-862: Missing Authorization •