CVE-2022-44565
https://notcve.org/view.php?id=CVE-2022-44565
An improper access validation vulnerability exists in airMAX AC <8.7.11, airFiber 60/LR <2.6.2, airFiber 60 XG/HD <v1.0.0 and airFiber GBE <1.4.1 that allows a malicious actor to retrieve status and usage data from the UISP device. • https://community.ui.com/releases/Security-Advisory-Bulletin-027-027/123e4577-9f00-4777-abe1-64a1d56fee05 • CWE-284: Improper Access Control •
CVE-2022-43553
https://notcve.org/view.php?id=CVE-2022-43553
A remote code execution vulnerability in EdgeRouters (Version 2.0.9-hotfix.4 and earlier) allows a malicious actor with an operator account to run arbitrary administrator commands.This vulnerability is fixed in Version 2.0.9-hotfix.5 and later. Una vulnerabilidad de ejecución remota de código en EdgeRouters (Versión 2.0.9-hotfix.4 y anteriores) permite que un actor malicioso con una cuenta de operador ejecute comandos de administrador arbitrarios. Esta vulnerabilidad se solucionó en la Versión 2.0.9-hotfix.5 y posteriores. • https://community.ui.com/releases/Security-Advisory-Bulletin-026-026/07697c65-30b3-4c06-a158-35e06534480d • CWE-250: Execution with Unnecessary Privileges •
CVE-2022-3824 – WP Admin UI Customize < 1.5.13 - Admin+ Stored XSS
https://notcve.org/view.php?id=CVE-2022-3824
The WP Admin UI Customize WordPress plugin before 1.5.13 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). El complemento WP Admin UI Customize de WordPress anterior a 1.5.13 no sanitiza ni escapa a algunas de sus configuraciones, lo que podría permitir a usuarios con altos privilegios, como el administrador, realizar ataques de Cross-Site Scripting (XSS) Almacenado incluso cuando la capacidad unfiltered_html no está permitida (por ejemplo, en configuración multisitio). The WP Admin UI Customize plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘footer text’ parameter in versions up to, and including, 1.5.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. • https://wpscan.com/vulnerability/3ca6d724-cd79-4e07-b8d0-a8c1688abf16 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-35257
https://notcve.org/view.php?id=CVE-2022-35257
A local privilege escalation vulnerability in UI Desktop for Windows (Version 0.55.1.2 and earlier) allows a malicious actor with local access to a Windows device with UI Desktop to run arbitrary commands as SYSTEM. Una vulnerabilidad de escalada de privilegios local en UI Desktop para Windows (versión 0.55.1.2 y anteriores) permite a un actor malicioso con acceso local a un dispositivo Windows con UI Desktop ejecutar comandos arbitrarios como SYSTEM. • https://community.ui.com/releases/Security-Advisory-Bulletin-025-025/7fc92851-054d-46d3-bdb0-fbb8f7023fed •
CVE-2022-22570
https://notcve.org/view.php?id=CVE-2022-22570
A buffer overflow vulnerability found in the UniFi Door Access Reader Lite’s (UA Lite) firmware (Version 3.8.28.24 and earlier) allows a malicious actor who has gained access to a network to control all connected UA devices. This vulnerability is fixed in Version 3.8.31.13 and later. Una vulnerabilidad de desbordamiento de búfer encontrada en UniFi Door Access Reader Lite (UA Lite) firmware (versión 3.8.28.24 y anteriores) permite a un actor malicioso que haya conseguido acceso a una red controlar todos los dispositivos UA conectados. Esta vulnerabilidad ha sido corregida en versión 3.8.31.13 y posteriores • https://community.ui.com/releases/Security-Advisory-Bulletin-024-024/22725557-0f72-4f5d-83b0-f16252fcd4b7 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •