CVSS: 7.2EPSS: 2%CPEs: 1EXPL: 1CVE-2021-46118
https://notcve.org/view.php?id=CVE-2021-46118
26 Jan 2022 — jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code. jpress versión 4.2.0 es vulnerable a una ejecución de código remota por medio de io.jpress.module.article.kit.ArticleNotifyKit#doSendEmail. El panel de administración proporciona una función mediante la cual los atacantes pueden editar las plantillas de correo electrónico e i... • http://jpress.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: 3%CPEs: 1EXPL: 1CVE-2021-46117
https://notcve.org/view.php?id=CVE-2021-46117
26 Jan 2022 — jpress 4.2.0 is vulnerable to remote code execution via io.jpress.module.page.PageNotifyKit#doSendEmail. The admin panel provides a function through which attackers can edit the email templates and inject some malicious code. jpress versión 4.2.0 es vulnerable a una ejecución de código remota por medio de io.jpress.module.page.PageNotifyKit#doSendEmail. El panel de administración proporciona una función mediante la cual atacantes pueden editar las plantillas de correo electrónico e inyectar código malicioso • http://jpress.com • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45975
https://notcve.org/view.php?id=CVE-2021-45975
26 Jan 2022 — In ListCheck.exe in Acer Care Center 4.x before 4.00.3038, a vulnerability in the loading mechanism of Windows DLLs could allow a local attacker to perform a DLL hijacking attack. This vulnerability is due to incorrect handling of directory search paths at run time. An attacker could exploit this vulnerability by placing a malicious DLL file on the targeted system. This file will execute when the vulnerable application launches. A successful exploit could allow the attacker to execute arbitrary code on the ... • https://acercsi.com • CWE-426: Untrusted Search Path •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2022-0220 – WordPress GDPR & CCPA < 1.9.27 - Unauthenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2022-0220
26 Jan 2022 — The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.27, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. Due to v1.9.26 adding a CSRF check, the XSS is only exploitable against unauthenticated users (as they all share the same nonce) L... • https://wpscan.com/vulnerability/a91a01b9-7e36-4280-bc50-f6cff3e66059 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24814 – WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2021-24814
26 Jan 2022 — The check_privacy_settings AJAX action of the WordPress GDPR WordPress plugin before 1.9.26, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and... • https://wpscan.com/vulnerability/94ab34f6-86a9-4e14-bf86-26ff6cb4383e • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23008
https://notcve.org/view.php?id=CVE-2022-23008
25 Jan 2022 — On NGINX Controller API Management versions 3.18.0-3.19.0, an authenticated attacker with access to the "user" or "admin" role can use undisclosed API endpoints on NGINX Controller API Management to inject JavaScript code that is executed on managed NGINX data plane instances. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. En NGINX Controller API Management versiones 3.18.0-3.19.0, un atacante autenticado con acceso al rol "user" o "admin" puede usar endpoints ... • https://support.f5.com/csp/article/K57735782 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2021-45029 – Apache ShenYu 2.4.1 Groovy Code Injection & SpEL Injection
https://notcve.org/view.php?id=CVE-2021-45029
25 Jan 2022 — Groovy Code Injection & SpEL Injection which lead to Remote Code Execution. • http://www.openwall.com/lists/oss-security/2022/01/25/8 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 5CVE-2022-23935 – Gentoo Linux Security Advisory 202407-27
https://notcve.org/view.php?id=CVE-2022-23935
25 Jan 2022 — lib/Image/ExifTool.pm in ExifTool before 12.38 mishandles a $file =~ /\|$/ check, leading to command injection. lib/Image/ExifTool.pm en ExifTool antes de la versión 12.38 maneja mal una comprobación de $file =~ /|$/, lo que lleva a la inyección de comandos Multiple vulnerabilities have been discovered in ExifTool, the worst of which could lead to arbitrary code execution. • https://github.com/BKreisel/CVE-2022-23935 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 671EXPL: 0CVE-2021-36343
https://notcve.org/view.php?id=CVE-2021-36343
24 Jan 2022 — A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. • https://www.dell.com/support/kbdoc/en-us/000193321/dsa-2021-240 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.5EPSS: 0%CPEs: 673EXPL: 0CVE-2021-36342
https://notcve.org/view.php?id=CVE-2021-36342
24 Jan 2022 — A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. • https://www.dell.com/support/kbdoc/en-us/000193321/dsa-2021-240 • CWE-20: Improper Input Validation CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •