CVSS: 5.5EPSS: 0%CPEs: 10EXPL: 2CVE-2021-46142
https://notcve.org/view.php?id=CVE-2021-46142
An issue was discovered in uriparser before 0.9.6. It performs invalid free operations in uriNormalizeSyntax. Se ha detectado un problema en uriparser versiones anteriores a 0.9.6. Lleva a cabo operaciones libres no válidas en uriNormalizeSyntax. • https://blog.hartwork.org/posts/uriparser-096-with-security-fixes-released https://github.com/uriparser/uriparser/issues/122 https://github.com/uriparser/uriparser/pull/124 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MO6T7WA27H7K3WI2AXUAGPWBGK4HM65D https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YGIJTDNEMU2V4H3JJBQVKBRHU5GBQKG2 https://www.debian.org/security/2022/dsa-5063 • CWE-416: Use After Free •
CVSS: 7.2EPSS: 0%CPEs: 6EXPL: 1CVE-2022-21663 – Authenticated Object Injection in Multisites in WordPress
https://notcve.org/view.php?id=CVE-2022-21663
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. On a multisite, users with Super Admin role can bypass explicit/additional hardening under certain conditions through object injection. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://blog.sonarsource.com/wordpress-object-injection-vulnerability https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jmmq-m8p8-332h https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://wordpress.org/news/2022/01/wordpress-5-8-3-security- • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-502: Deserialization of Untrusted Data •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-21662 – Stored XSS in WordPress
https://notcve.org/view.php?id=CVE-2022-21662
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Low-privileged authenticated users (like author) in WordPress core are able to execute JavaScript/perform stored XSS attack, which can affect high-privileged users. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 3.7.37. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-699q-3hj9-889w https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://wordpress.org/news/2022/01/wordpress-5-8-3-security-release https://www.debian.org/security/2022/dsa-5039 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2022-21664 – SQL injection in WordPress
https://notcve.org/view.php?id=CVE-2022-21664
WordPress is a free and open-source content management system written in PHP and paired with a MariaDB database. Due to lack of proper sanitization in one of the classes, there's potential for unintended SQL queries to be executed. This has been patched in WordPress version 5.8.3. Older affected versions are also fixed via security release, that go back till 4.1.34. We strongly recommend that you keep auto-updates enabled. • https://github.com/WordPress/wordpress-develop/commit/c09ccfbc547d75b392dbccc1ef0b4442ccd3c957 https://github.com/WordPress/wordpress-develop/security/advisories/GHSA-jp3p-gw8h-6x86 https://lists.debian.org/debian-lts-announce/2022/01/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CV4UNEC63UU5GEU47IIR4RMTZAHNEOJG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DM6XPH3JN6V4NF4WBOJTOXZIVE6VKKE3 https://wordpress.org/news/2022/01/wordpress-5&# • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-28713
https://notcve.org/view.php?id=CVE-2021-28713
Rogue backends can cause DoS of guests via high frequency events T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Xen offers the ability to run PV backends in regular unprivileged guests, typically referred to as "driver domains". Running PV backends in driver domains has one primary security advantage: if a driver domain gets compromised, it doesn't have the privileges to take over the system. However, a malicious driver domain could try to attack other guests via sending events at a high frequency leading to a Denial of Service in the guest due to trying to service interrupts for elongated amounts of time. There are three affected backends: * blkfront patch 1, CVE-2021-28711 * netfront patch 2, CVE-2021-28712 * hvc_xen (console) patch 3, CVE-2021-28713 Los backends fraudulentos pueden causar DoS de huéspedes por medio de eventos de alta frecuencia T[este registro de información CNA se relaciona con múltiples CVEs; el texto explica qué aspectos/vulnerabilidades corresponden a cada CVE]. • https://lists.debian.org/debian-lts-announce/2022/03/msg00011.html https://lists.debian.org/debian-lts-announce/2022/03/msg00012.html https://www.debian.org/security/2022/dsa-5050 https://www.debian.org/security/2022/dsa-5096 https://xenbits.xenproject.org/xsa/advisory-391.txt •