CVE-2008-2022
published 2008-04-30CVE-2008-2022: Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) toid…
PriorityP419medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
3.47%
87.6th percentile
Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) toid parameter to send-private-message.asp and the (2) redirect parameter to admin/impersonate.asp. NOTE: vector 2 requires authentication.
Affected
26 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | migueldeicaza_swiftterm | >= 0 < 1.2.0 | 1.2.0 |
| chrome_chrome | — | — | |
| msrc | remote_desktop_client | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_1909 | — | — |
| msrc | windows_10_version_20h2 | — | — |
| msrc | windows_10_version_21h1 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_11_version_21h2 | — | — |
| msrc | windows_7 | — | — |
| msrc | windows_8.1 | — | — |
| msrc | windows_rt_8.1 | — | — |
| msrc | windows_server_2008 | — | — |
| msrc | windows_server_2008_for_32-bit_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_for_x64-based_systems_service_pack_2 | — | — |
| msrc | windows_server_2008_r2 | — | — |
| msrc | windows_server_2008_r2_for_x64-based_systems_service_pack_1 | — | — |
| msrc | windows_server_2012 | — | — |
| msrc | windows_server_2012_r2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
ghsa7.3HIGH
cisa8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
SwiftTerm Code Injection vulnerability
ghsa·2023-07-14·CVSS 7.3
CVE-2022-23465 [HIGH] CWE-94 SwiftTerm Code Injection vulnerability
SwiftTerm Code Injection vulnerability
### Impact
Attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands.
### Credit
These bugs were found and disclosed by David Leadbeater (@dgl at Github.com)
### Patches
Fixed in version ce596e0dc8cdb288bc7ed5c6a59011ee3a8dc171
### Workarounds
There are no workarounds available
### References
Similar exploits to this existed in the past, for terminal emulators:
https://nvd.nist.gov/vuln/detail/CVE-2003-0063
https://nvd.nist.gov/vuln/detail/CVE-2008-2383
Additional background and information is also available:
https://marc.info
GHSA
GHSA-6xvq-x47h-8rxm: Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2
ghsa_unreviewed·2022-05-01
CVE-2008-2022 [MEDIUM] CWE-79 GHSA-6xvq-x47h-8rxm: Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2
Mulatiple cross-site scripting (XSS) vulnerabilities in PD9 Software MegaBBS 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) toid parameter to send-private-message.asp and the (2) redirect parameter to admin/impersonate.asp. NOTE: vector 2 requires authentication.
Chrome
Stable Channel Update for Desktop: CVE-2022-2007
vendor_chrome·2022-06-09·CVSS 8.8
CVE-2022-2007 [HIGH] Stable Channel Update for Desktop: CVE-2022-2007
Stable Channel Update for Desktop
CVE-2022-2007: Use after free in WebGPU. Reported by David Manouchehri on 2022-05-17 [$TBD][ 1317673 ] High CVE-2022-2008: Out of bounds memory access in WebGL
Reported by khangkito - Tran Van Khang (VinCSS) on 2022-04-19 [$NA][ 1325298 ] High CVE-2022-2010: Out of bounds read in compositing
Severity: high
CISA
Adobe Reader and Acrobat Input Validation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2008-2992 [HIGH] CWE-119 Adobe Reader and Acrobat Input Validation Vulnerability
Vulnerability: Adobe Reader and Acrobat Input Validation Vulnerability
Affected: Adobe Acrobat and Reader
Adobe Acrobat and Reader contain an input validation issue in a JavaScript method that could potentially lead to remote code execution.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2008-2992
Remediation Due Date: 2022-03-24
CISA
Microsoft Graphics Device Interface (GDI) Privilege Escalation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2017-0001 [HIGH] Microsoft Graphics Device Interface (GDI) Privilege Escalation Vulnerability
Vulnerability: Microsoft Graphics Device Interface (GDI) Privilege Escalation Vulnerability
Affected: Microsoft Graphics Device Interface (GDI)
The Graphics Device Interface (GDI) in Microsoft Windows Vista SP2; Windows Server 2008 SP2 and R2 SP1; Windows 7 SP1; Windows 8.1; Windows Server 2012 Gold and R2; Windows RT 8.1; and Windows 10 Gold, 1511, and 1607 allows local users to gain privileges
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-0001
Remediation Due Date: 2022-03-24
CISA
Oracle VirtualBox Insufficient Input Validation Vulnerability
cisa·2022-03-03·CVSS 8.8
CVE-2008-3431 [HIGH] CWE-264 Oracle VirtualBox Insufficient Input Validation Vulnerability
Vulnerability: Oracle VirtualBox Insufficient Input Validation Vulnerability
Affected: Oracle VirtualBox
An input validation vulnerability exists in the VBoxDrv.sys driver of Sun xVM VirtualBox which allows attackers to locally execute arbitrary code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2008-3431
Remediation Due Date: 2022-03-24
CISA
Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2017-8540 [HIGH] CWE-119 Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability
Vulnerability: Microsoft Malware Protection Engine Improper Restriction of Operations Vulnerability
Affected: Microsoft Malware Protection Engine
The Microsoft Malware Protection Engine running on Microsoft Forefront and Microsoft Defender on Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, and Windows Server 2016, Microsoft Exchange Server 2013 and 2016, does not properly scan a specially crafted file leading to memory corruption. aka "Microsoft Malware Protection Engine Remote Code Execution Vulnerability".
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2017-8540
Remediation Due Date: 2022-03-24
No detection rules found.
No writeups or analysis indexed.
http://secunia.com/advisories/29979http://www.bugreport.ir/?/37http://www.securityfocus.com/bid/28961https://exchange.xforce.ibmcloud.com/vulnerabilities/42040https://exchange.xforce.ibmcloud.com/vulnerabilities/42042https://www.exploit-db.com/exploits/5507http://secunia.com/advisories/29979http://www.bugreport.ir/?/37http://www.securityfocus.com/bid/28961https://exchange.xforce.ibmcloud.com/vulnerabilities/42040https://exchange.xforce.ibmcloud.com/vulnerabilities/42042https://www.exploit-db.com/exploits/5507
2008-04-30
Published