CVE-2021-30134
https://notcve.org/view.php?id=CVE-2021-30134
php-mod/curl (a wrapper of the PHP cURL extension) before 2.3.2 allows XSS via the post_file_path_upload.php key parameter and the POST data to post_multidimensional.php. php-mod/curl (un contenedor de la extensión PHP cURL) anterior a 2.3.2 permite XSS a través del parámetro clave post_file_path_upload.php y los datos POST en post_multidimensional.php. • https://wpscan.com/vulnerability/0b547728-27d2-402e-ae17-90d539344ec7 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-4725 – AWS SDK XML Parser XpathUtils.java XpathUtils server-side request forgery
https://notcve.org/view.php?id=CVE-2022-4725
A vulnerability was found in AWS SDK 2.59.0. It has been rated as critical. This issue affects the function XpathUtils of the file aws-android-sdk-core/src/main/java/com/amazonaws/util/XpathUtils.java of the component XML Parser. The manipulation leads to server-side request forgery. Upgrading to version 2.59.1 is able to address this issue. • https://github.com/aws-amplify/aws-sdk-android/commit/c3e6d69422e1f0c80fe53f2d757b8df97619af2b https://github.com/aws-amplify/aws-sdk-android/pull/3100 https://github.com/aws-amplify/aws-sdk-android/releases/tag/release_v2.59.1 https://vuldb.com/?id.216737 • CWE-918: Server-Side Request Forgery (SSRF) •
CVE-2022-23511
https://notcve.org/view.php?id=CVE-2022-23511
A privilege escalation issue exists within the Amazon CloudWatch Agent for Windows, software for collecting metrics and logs from Amazon EC2 instances and on-premises servers, in versions up to and including v1.247354. When users trigger a repair of the Agent, a pop-up window opens with SYSTEM permissions. Users with administrative access to affected hosts may use this to create a new command prompt as NT AUTHORITY\SYSTEM. To trigger this issue, the third party must be able to access the affected host and elevate their privileges such that they're able to trigger the agent repair process. They must also be able to install the tools required to trigger the issue. • https://github.com/aws/amazon-cloudwatch-agent/commit/6119858864c317ff26f41f576c169148d1250837#diff-76ed074a9305c04054cdebb9e9aad2d818052b07091de1f20cad0bbac34ffb52 https://github.com/aws/amazon-cloudwatch-agent/security/advisories/GHSA-j8x2-2m5w-j939 • CWE-274: Improper Handling of Insufficient Privileges •
CVE-2022-41917 – Incorrect Error Handling Allowed Partial File Reads Over REST API in OpenSearch
https://notcve.org/view.php?id=CVE-2022-41917
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. OpenSearch allows users to specify a local file when defining text analyzers to process data for text analysis. An issue in the implementation of this feature allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of potentially impacted files is limited to text files with read permissions allowed in the Java Security Manager policy configuration. OpenSearch version 1.3.7 and 2.4.0 contain a fix for this issue. • https://github.com/opensearch-project/OpenSearch/commit/6d20423f5920745463b1abc5f1daf6a786c41aa0 https://github.com/opensearch-project/OpenSearch/security/advisories/GHSA-w3rx-m34v-wrqx • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-755: Improper Handling of Exceptional Conditions •
CVE-2022-41918 – Issue with fine-grained access control of indices backing data streams
https://notcve.org/view.php?id=CVE-2022-41918
OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana. There is an issue with the implementation of fine-grained access control rules (document-level security, field-level security and field masking) where they are not correctly applied to the indices that back data streams potentially leading to incorrect access authorization. OpenSearch 1.3.7 and 2.4.0 contain a fix for this issue. Users are advised to update. There are no known workarounds for this issue. • https://github.com/opensearch-project/security/commit/f7cc569c9d3fa5d5432c76c854eed280d45ce6f4 https://github.com/opensearch-project/security/security/advisories/GHSA-wmx7-x4jp-9jgg • CWE-612: Improper Authorization of Index Containing Sensitive Information CWE-863: Incorrect Authorization •