CVE-2021-32434
https://notcve.org/view.php?id=CVE-2021-32434
abcm2ps v8.14.11 was discovered to contain an out-of-bounds read in the function calculate_beam at draw.c. Se ha detectado que abcm2ps versión v8.14.11, contiene una lectura fuera de límites en la función calculate_beam en el archivo draw.c • https://github.com/leesavide/abcm2ps/commit/2f56e1179cab6affeb8afa9d6c324008fe40d8e3 https://github.com/leesavide/abcm2ps/issues/83 https://lists.debian.org/debian-lts-announce/2022/04/msg00015.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6333SXWMES3K22DBAOAW34G6EU6WIJEY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EVGJH4HMXI3TWMHQJQCG3M7KSXJWJM7R https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTF4F • CWE-125: Out-of-bounds Read •
CVE-2022-24919 – Reflected XSS in graph configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24919
An authenticated user can create a link with reflected Javascript code inside it for graphs’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlace con código Javascript reflejado en su interior para la página de los gráficos y enviarlo a otros usuarios. La carga útil sólo puede ejecutarse con un valor de token CSRF conocido de la víctima, que se cambia periódicamente y es difícil de predecir. • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/brows • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24918 – Reflected XSS in item configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24918
An authenticated user can create a link with reflected Javascript code inside it for items’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlace con código Javascript reflejado en su interior para la página de artículos y enviarlo a otros usuarios. La carga útil sólo puede ejecutarse con un valor de token CSRF conocido de la víctima, que se cambia periódicamente y es difícil de predecir. • https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/browse/ZBX-20680 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24917 – Reflected XSS in service configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24917
An authenticated user can create a link with reflected Javascript code inside it for services’ page and send it to other users. The payload can be executed only with a known CSRF token value of the victim, which is changed periodically and is difficult to predict. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim during social engineering attacks. Un usuario autenticado puede crear un enlace con código Javascript reflejado en su interior para la página de servicios y enviarlo a otros usuarios. La carga útil sólo puede ejecutarse con un valor de token CSRF conocido de la víctima, que se cambia periódicamente y es difícil de predecir. • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/brows • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-24349 – Reflected XSS in action configuration window of Zabbix Frontend
https://notcve.org/view.php?id=CVE-2022-24349
An authenticated user can create a link with reflected XSS payload for actions’ pages, and send it to other users. Malicious code has access to all the same objects as the rest of the web page and can make arbitrary modifications to the contents of the page being displayed to a victim. This attack can be implemented with the help of social engineering and expiration of a number of factors - an attacker should have authorized access to the Zabbix Frontend and allowed network connection between a malicious server and victim’s computer, understand attacked infrastructure, be recognized by the victim as a trustee and use trusted communication channel. Un usuario autenticado puede crear un enlace con carga útil XSS reflejada para las páginas de acciones, y enviarlo a otros usuarios. El código malicioso tiene acceso a todos los mismos objetos que el resto de la página web y puede realizar modificaciones arbitrarias en el contenido de la página que se muestra a la víctima. • https://lists.debian.org/debian-lts-announce/2022/04/msg00011.html https://lists.debian.org/debian-lts-announce/2023/04/msg00013.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2V4N22R3QVTYAJMWFK2U2O6QXAZYM35Z https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QWP6UBFA5T6MOQPY2VDUG5YAJBFPYRFF https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWDZONUHDYKBXTAIAGHSYQDEGORD2QT7 https://support.zabbix.com/brows • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •