CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-32802
https://notcve.org/view.php?id=CVE-2022-32802
Processing a maliciously crafted file may lead to arbitrary code execution. • https://support.apple.com/en-us/HT213342 https://support.apple.com/en-us/HT213345 https://support.apple.com/en-us/HT213346 •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2022-25812 – Transposh WordPress Translation < 1.0.8 - Admin+ RCE
https://notcve.org/view.php?id=CVE-2022-25812
The Transposh WordPress Translation WordPress plugin before 1.0.8 does not validate its debug settings, which could allow allowing high privilege users such as admin to perform RCE El plugin Transposh WordPress Translation de WordPress versiones anteriores a 1.0.8, no comprueba su configuración de depuración, lo que podría permitir a usuarios con altos privilegios, como el administrador, llevar a cabo un RCE. The Transposh WordPress Translation plugin for WordPress is vulnerable to remote code execution in versions up to, and including, 1.0.8.1. This is due to insufficient extension validation on the log file that can be created via the plugin. This makes it possible for authenticated attackers with administrative level permissions and above to set the log file extension to .php and then update a setting to log PHP executable code to that file which can be used to achieve remote code execution. Transposh WordPress Translation versions 1.0.8.1 and below have a "save_transposh" action available at "/wp-admin/admin.php? • https://wpscan.com/vulnerability/1f6bd346-4743-44b8-86d7-4fbe09bad657 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 37%CPEs: 1EXPL: 1CVE-2022-2314 – VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
https://notcve.org/view.php?id=CVE-2022-2314
The VR Calendar WordPress plugin through 2.3.2 lets any user execute arbitrary PHP functions on the site. El plugin VR Calendar WordPress a través de la versión 2.3.2 permite a cualquier usuario ejecutar funciones PHP arbitrarias en el sitio The VR Calendar plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.2.2 via the handleCommands() function that accepts user supplied input via the 'vrc_cmd' parameter that is passed to call_user_func(). This allows unauthenticated attackers to execute code on the server. • https://wpscan.com/vulnerability/b22fe77c-844e-4c24-8023-014441cc1e82 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.8EPSS: 0%CPEs: 28EXPL: 1CVE-2022-33967
https://notcve.org/view.php?id=CVE-2022-33967
Loading a specially crafted squashfs image may lead to a denial-of-service (DoS) condition or arbitrary code execution. • https://jvn.jp/en/vu/JVNVU97846460/index.html https://lists.denx.de/pipermail/u-boot/2022-June/487467.html https://source.denx.de/u-boot/u-boot/-/commit/7f7fb9937c6cb49dd35153bd6708872b390b0a44 https://www.denx.de/project/u-boot • CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 1CVE-2022-1920 – gstreamer-plugins-good: Potential heap overwrite in gst_matroska_demux_add_wvpk_header()
https://notcve.org/view.php?id=CVE-2022-1920
Potential for arbitrary code execution through heap overwrite. • https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/1226 https://lists.debian.org/debian-lts-announce/2022/08/msg00001.html https://www.debian.org/security/2022/dsa-5204 https://access.redhat.com/security/cve/CVE-2022-1920 https://bugzilla.redhat.com/show_bug.cgi?id=2130935 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound CWE-787: Out-of-bounds Write •