CVE-2022-29020

ForestBlog through 2022-02-16 allows admin/profile/save userAvatar XSS during addition of a user avatar.

Source: CVE-2022-29020

CVE-2022-1365

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository lquixada/cross-fetch prior to 3.1.5.

Source: CVE-2022-1365

CVE-2022-29281

Notable before 1.9.0-beta.8 doesn’t effectively prevent the opening of executable files when clicking on a link. There is improper validation of the file URI scheme. A hyperlink to an SMB share could lead to execution of an arbitrary program (or theft of NTLM credentials via an SMB relay attack, because the application resolves UNC paths).

Source: CVE-2022-29281

CVE-2022-27427

A zero-code remote code injection vulnerability via configuration.php in Chamilo LMS v1.11.13 allows attackers to upload arbitrary code in the form of a new plugin.

Source: CVE-2022-27427

CVE-2022-27426

A Server-Side Request Forgery (SSRF) in Chamilo LMS v1.11.13 allows attackers to enumerate the internal network and execute arbitrary system commands via a crafted Phar file.

Source: CVE-2022-27426

CVE-2022-27425

Chamilo LMS v1.11.13 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /blog/blog.php.

Source: CVE-2022-27425

CVE-2022-27423

Chamilo LMS v1.11.13 was discovered to contain a SQL injection vulnerability via the blog_id parameter at /blog/blog.php.

Source: CVE-2022-27423

CVE-2022-27422

A reflected cross-site scripting (XSS) vulnerability in Chamilo LMS v1.11.13 allows attackers to execute arbitrary web scripts or HTML via user interaction with a crafted URL.

Source: CVE-2022-27422

CVE-2022-27421

Chamilo LMS v1.11.13 lacks validation on the user modification form, allowing attackers to escalate privileges to Platform Admin.

Source: CVE-2022-27421

CVE-2022-29072

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area.

Source: CVE-2022-29072