CVE-2022-38826
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is an execute arbitrary command in cstecgi.cgi.
Source: CVE-2022-38826
[월:] 2022년 09월
CVE-2022-38823
CVE-2022-38823
In TOTOLINK T6 V4.1.5cu.709_B20210518, there is a hard coded password for root in /etc/shadow.sample.
Source: CVE-2022-38823
CVE-2021-42949
CVE-2021-42949
The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.
Source: CVE-2021-42949
CVE-2022-3176
CVE-2022-3176
There exists a use-after-free in io_uring in the Linux kernel. Signalfd_poll() and binder_poll() use a waitqueue whose lifetime is the current task. It will send a POLLFREE notification to all waiters before the queue is freed. Unfortunately, the io_uring poll doesn’t handle POLLFREE. This allows a use-after-free to occur if a signalfd or binder fd is polled with io_uring poll, and the waitqueue gets freed. We recommend upgrading past commit fc78b2fc21f10c4c9c4d5d659a685710ffa63659
Source: CVE-2022-3176
CVE-2022-38846
CVE-2022-38846
EspoCRM version 7.1.8 is vulnerable to Missing Secure Flag allowing the browser to send plain text cookies over an insecure channel (HTTP). An attacker may capture the cookie from the insecure channel using MITM attack.
Source: CVE-2022-38846
CVE-2022-38844
CVE-2022-38844
CSV Injection in Create Contacts in EspoCRM 7.1.8 allows remote authenticated users to run system commands via creating contacts with payloads capable of executing system commands. Admin user exporting contacts in CSV file may end up executing the malicious system commands on his system.
Source: CVE-2022-38844
CVE-2022-38808
CVE-2022-38808
ywoa v6.1 is vulnerable to SQL Injection via backend/oa/visual/exportExcel.do interface.
Source: CVE-2022-38808
CVE-2022-38843
CVE-2022-38843
EspoCRM version 7.1.8 is vulnerable to Unrestricted File Upload allowing attackers to upload malicious file with any extension to the server. Attacker may execute these malicious files to run unintended code on the server to compromise the server.
Source: CVE-2022-38843
CVE-2022-38845
CVE-2022-38845
Cross Site Scripting in Import feature in EspoCRM 7.1.8 allows remote users to run malicious JavaScript in victim s browser via sending crafted csv file containing malicious JavaScript to authenticated user. Any authenticated user importing the crafted CSV file may end up running the malicious JavaScripting in the browser.
Source: CVE-2022-38845
CVE-2022-3223
CVE-2022-3223
Cross-site Scripting (XSS) – Stored in GitHub repository jgraph/drawio prior to 20.3.1.
Source: CVE-2022-3223