CVE-2022-28049
NGINX NJS 0.7.2 was discovered to contain a NULL pointer dereference via the component njs_vmcode_array at /src/njs_vmcode.c.
Source: CVE-2022-28049
[월:] 2022년 04월
CVE-2022-28048
CVE-2022-28048
STB v2.27 was discovered to contain an integer shift of invalid size in the component stbi__jpeg_decode_block_prog_ac.
Source: CVE-2022-28048
CVE-2022-28044
CVE-2022-28044
Irzip v0.640 was discovered to contain a heap memory corruption via the component lrzip.c:initialise_control.
Source: CVE-2022-28044
CVE-2022-28042
CVE-2022-28042
stb_image.h v2.27 was discovered to contain an heap-based use-after-free via the function stbi__jpeg_huff_decode.
Source: CVE-2022-28042
CVE-2022-28041
CVE-2022-28041
stb_image.h v2.27 was discovered to contain an integer overflow via the function stbi__jpeg_decode_block_prog_dc. This vulnerability allows attackers to cause a Denial of Service (DoS) via unspecified vectors.
Source: CVE-2022-28041
CVE-2022-27474
CVE-2022-27474
SuiteCRM v7.11.23 was discovered to allow remote code execution via a crafted payload injected into the FirstName text field.
Source: CVE-2022-27474
CVE-2022-28868
CVE-2022-28868
An Address bar spoofing vulnerability was discovered in Safe Browser for Android. When user clicks on a specially crafted malicious webpage/URL, user may be tricked for a short period of time (until the page loads) to think content may be coming from a valid domain, while the content comes from the attacker controlled site.
Source: CVE-2022-28868
CVE-2022-28869
CVE-2022-28869
A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the browser did not show full URL, such as port number.
Source: CVE-2022-28869
CVE-2022-28870
CVE-2022-28870
A vulnerability affecting F-Secure SAFE browser was discovered. A maliciously crafted website could make a phishing attack with address bar spoofing as the address bar was not correct if navigation fails.
Source: CVE-2022-28870
CVE-2022-28345
CVE-2022-28345
The Signal app before 5.34 for iOS allows URI spoofing via RTLO injection. It incorrectly renders RTLO encoded URLs beginning with a non-breaking space, when there is a hash character in the URL. This technique allows a remote unauthenticated attacker to send legitimate looking links, appearing to be any website URL, by abusing the non-http/non-https automatic rendering of URLs. An attacker can spoof, for example, example.com, and masquerade any URL with a malicious destination. An attacker requires a subdomain such as gepj, txt, fdp, or xcod, which would appear backwards as jpeg, txt, pdf, and docx respectively.
Source: CVE-2022-28345