CVSS: 9.8EPSS: 97%CPEs: 14EXPL: 23CVE-2022-42889 – Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults
https://notcve.org/view.php?id=CVE-2022-42889
Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. • https://github.com/SeanWrightSec/CVE-2022-42889-PoC https://github.com/kljunowsky/CVE-2022-42889-text4shell https://github.com/korteke/CVE-2022-42889-POC https://github.com/cxzero/CVE-2022-42889-text4shell https://github.com/cryxnet/CVE-2022-42889-RCE https://github.com/akshayithape-devops/CVE-2022-42889-POC https://github.com/0xst4n/CVE-2022-42889 https://github.com/0xmaximus/Apache-Commons-Text-CVE-2022-42889 https://github.com/gustanini/CVE-2022-42889-Text4Shell-POC https:/&# • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 1CVE-2022-42720 – kernel: use-after-free in bss_ref_get in net/wireless/scan.c
https://notcve.org/view.php?id=CVE-2022-42720
This issue can lead to a denial of service or arbitrary code execution. • http://packetstormsecurity.com/files/169951/Kernel-Live-Patch-Security-Notice-LSN-0090-1.html http://www.openwall.com/lists/oss-security/2022/10/13/5 https://bugzilla.suse.com/show_bug.cgi?id=1204059 https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless.git/commit/?id=0b7808818cb9df6680f98996b8e9a439fa7bcc2f https://lists.debian.org/debian-lts-announce/2022/11/msg00001.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GGHENNMLCWIQV2LLA56BJNFIUZ7WB4IY&# • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-35944 – October CMS Safe Mode bypass leads to authenticated RCE (Remote Code Execution)
https://notcve.org/view.php?id=CVE-2022-35944
October is a self-hosted Content Management System (CMS) platform based on the Laravel PHP Framework. This vulnerability only affects installations that rely on the safe mode restriction, commonly used when providing public access to the admin panel. Assuming an attacker has access to the admin panel and permission to open the "Editor" section, they can bypass the Safe Mode (`cms.safe_mode`) restriction to introduce new PHP code in a CMS template using a specially crafted request. The issue has been patched in versions 2.2.34 and 3.0.66. October es una plataforma de Sistema de Administración de Contenidos (CMS) auto alojada basada en el Framework PHP Laravel. • https://github.com/octobercms/october/security/advisories/GHSA-x4q7-m6fp-4v9v • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-34391
https://notcve.org/view.php?id=CVE-2022-34391
A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. • https://www.dell.com/support/kbdoc/000203882 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-34390
https://notcve.org/view.php?id=CVE-2022-34390
A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM. • https://www.dell.com/support/kbdoc/000203882 • CWE-457: Use of Uninitialized Variable CWE-908: Use of Uninitialized Resource •