CVE-2009-2022
published 2009-06-09CVE-2009-2022: fipsCMS Light 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file…
PriorityP335medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
5.16%
91.4th percentile
fipsCMS Light 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file and obtain sensitive information via a direct request for _fipsdb/db.mdb.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fipsasp | fipscms_light | — | — |
| linux | linux_kernel | >= 5.7.0 < 6.0.19 | 6.0.19 |
| linux | linux_kernel | >= 6.1.0 < 6.1.5 | 6.1.5 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
vhost_vdpa: fix the crash in unmap a large memory
osv·2025-12-30
CVE-2022-50851 vhost_vdpa: fix the crash in unmap a large memory
vhost_vdpa: fix the crash in unmap a large memory
In the Linux kernel, the following vulnerability has been resolved:
vhost_vdpa: fix the crash in unmap a large memory
While testing in vIOMMU, sometimes Guest will unmap very large memory,
which will cause the crash. To fix this, add a new function
vhost_vdpa_general_unmap(). This function will only unmap the memory
that saved in iotlb.
Call Trace:
[ 647.820144] ------------[ cut here ]------------
[ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174!
[ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62
[ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qem4
[ 647.
GHSA
GHSA-j3jp-46wx-ch5m: fipsCMS Light 2
ghsa_unreviewed·2022-05-02
CVE-2009-2022 [MEDIUM] GHSA-j3jp-46wx-ch5m: fipsCMS Light 2
fipsCMS Light 2.1 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database file and obtain sensitive information via a direct request for _fipsdb/db.mdb.
Red Hat
kernel: Linux kernel (vhost_vdpa): Denial of service via large memory unmap
vendor_redhat·2025-12-30·CVSS 6.6
CVE-2022-50851 [MEDIUM] CWE-754 kernel: Linux kernel (vhost_vdpa): Denial of service via large memory unmap
kernel: Linux kernel (vhost_vdpa): Denial of service via large memory unmap
In the Linux kernel, the following vulnerability has been resolved:
vhost_vdpa: fix the crash in unmap a large memory
While testing in vIOMMU, sometimes Guest will unmap very large memory,
which will cause the crash. To fix this, add a new function
vhost_vdpa_general_unmap(). This function will only unmap the memory
that saved in iotlb.
Call Trace:
[ 647.820144] ------------[ cut here ]------------
[ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174!
[ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62
[ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0d
Red Hat
kernel: f2fs: fix to do sanity check on summary info
vendor_redhat·2025-12-24
CVE-2022-50753 kernel: f2fs: fix to do sanity check on summary info
kernel: f2fs: fix to do sanity check on summary info
In the Linux kernel, the following vulnerability has been resolved:
f2fs: fix to do sanity check on summary info
As Wenqing Liu reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=216456
BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
Read of size 4 at addr ffff8881464dcd80 by task mount/1013
CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x45/0x5e
print_report.cold+0xf3/0x68d
kasan_report+0xa8/0x130
recover_data+0x63ae/0x6ae0 [f2fs]
f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]
f2fs_fill_super+0x4665/0x61e0 [f2fs]
mount_bdev+0x2cf/0x3b0
legacy_get_tree+0xed/0x1d0
vfs_get_tree+0x81/0x2b0
path_mount
Red Hat
kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
vendor_redhat·2025-06-18·CVSS 5.5
CVE-2025-38059 [MEDIUM] CWE-476 kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
kernel: btrfs: avoid NULL pointer dereference if no valid csum tree
In the Linux kernel, the following vulnerability has been resolved:
btrfs: avoid NULL pointer dereference if no valid csum tree
[BUG]
When trying read-only scrub on a btrfs with rescue=idatacsums mount
option, it will crash with the following call trace:
BUG: kernel NULL pointer dereference, address: 0000000000000208
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
CPU: 1 UID: 0 PID: 835 Comm: btrfs Tainted: G O 6.15.0-rc3-custom+ #236 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 02/02/2022
RIP: 0010:btrfs_lookup_csums_bitmap+0x49/0x480 [btrfs]
Call Trace:
scrub_find_fill_first_stripe+0x35b/0x3d0 [btrfs]
scrub_simple_mirror+0x175/0x290 [btrfs]
scrub_s
Red Hat
kernel: char: tpm: Protect tpm_pm_suspend with locks
vendor_redhat·2024-10-21·CVSS 4.7
CVE-2022-48997 [MEDIUM] CWE-362 kernel: char: tpm: Protect tpm_pm_suspend with locks
kernel: char: tpm: Protect tpm_pm_suspend with locks
In the Linux kernel, the following vulnerability has been resolved:
char: tpm: Protect tpm_pm_suspend with locks
Currently tpm transactions are executed unconditionally in
tpm_pm_suspend() function, which may lead to races with other tpm
accessors in the system.
Specifically, the hw_random tpm driver makes use of tpm_get_random(),
and this function is called in a loop from a kthread, which means it's
not frozen alongside userspace, and so can race with the work done
during system suspend:
tpm tpm0: tpm_transmit: tpm_recv: error -52
tpm tpm0: invalid TPM_STS.x 0xff, dumping stack for forensics
CPU: 0 PID: 1 Comm: init Not tainted 6.1.0-rc5+ #135
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.0-20220807_005459-localhost 04/
Red Hat
kernel: Input: aiptek - properly check endpoint type
vendor_redhat·2024-07-16·CVSS 5.5
CVE-2022-48836 [MEDIUM] kernel: Input: aiptek - properly check endpoint type
kernel: Input: aiptek - properly check endpoint type
In the Linux kernel, the following vulnerability has been resolved:
Input: aiptek - properly check endpoint type
Syzbot reported warning in usb_submit_urb() which is caused by wrong
endpoint type. There was a check for the number of endpoints, but not
for the type of endpoint.
Fix it by replacing old desc.bNumEndpoints check with
usb_find_common_endpoints() helper for finding endpoints
Fail log:
usb 5-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 2 PID: 48 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
Modules linked in:
CPU: 2 PID: 48 Comm: kworker/2:2 Not tainted 5.17.0-rc6-syzkaller-00226-g07ebd38a0da2 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Workqueue:
Red Hat
kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
vendor_redhat·2024-07-16·CVSS 5.5
CVE-2022-48838 [MEDIUM] kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
kernel: usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: Fix use-after-free bug by not setting udc->dev.driver
The syzbot fuzzer found a use-after-free bug:
BUG: KASAN: use-after-free in dev_uevent+0x712/0x780 drivers/base/core.c:2320
Read of size 8 at addr ffff88802b934098 by task udevd/3689
CPU: 2 PID: 3689 Comm: udevd Not tainted 5.17.0-rc4-syzkaller-00229-g4f12b742eb2b #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x
Red Hat
kernel: RDMA/srp: Set scmnd->result only when scmnd is not NULL
vendor_redhat·2024-05-03·CVSS 5.5
CVE-2022-48692 [MEDIUM] kernel: RDMA/srp: Set scmnd->result only when scmnd is not NULL
kernel: RDMA/srp: Set scmnd->result only when scmnd is not NULL
In the Linux kernel, the following vulnerability has been resolved:
RDMA/srp: Set scmnd->result only when scmnd is not NULL
This change fixes the following kernel NULL pointer dereference
which is reproduced by blktests srp/007 occasionally.
BUG: kernel NULL pointer dereference, address: 0000000000000170
PGD 0 P4D 0
Oops: 0002 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1H Kdump: loaded Not tainted 6.0.0-rc1+ #37
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.15.0-29-g6a62e0cb0dfe-prebuilt.qemu.org 04/01/2014
Workqueue: 0x0 (kblockd)
RIP: 0010:srp_recv_done+0x176/0x500 [ib_srp]
Code: 00 4d 85 ff 0f 84 52 02 00 00 48 c7 82 80 02 00 00 00 00 00 00 4c 89 df 4c 89 14 24 e8 53 d3 4a f6 4c 8b 14 24 41 0f b6
CISA
Adobe Acrobat and Reader Use-After-Free Vulnerability
cisa·2022-06-08·CVSS 7.8
CVE-2009-4324 [HIGH] CWE-399 Adobe Acrobat and Reader Use-After-Free Vulnerability
Vulnerability: Adobe Acrobat and Reader Use-After-Free Vulnerability
Affected: Adobe Acrobat and Reader
Use-after-free vulnerability in Adobe Acrobat and Reader allows remote attackers to execute code via a crafted PDF file.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2009-4324
Remediation Due Date: 2022-06-22
CISA
Microsoft Office Buffer Overflow Vulnerability
cisa·2022-06-08·CVSS 7.8
CVE-2009-0563 [HIGH] CWE-119 Microsoft Office Buffer Overflow Vulnerability
Vulnerability: Microsoft Office Buffer Overflow Vulnerability
Affected: Microsoft Office
Microsoft Office contains a buffer overflow vulnerability that allows remote attackers to execute code via a Word document with a crafted tag containing an invalid length field.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2009-0563
Remediation Due Date: 2022-06-22
CISA
Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
cisa·2022-06-08·CVSS 7.8
CVE-2009-1862 [HIGH] CWE-94 Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
Vulnerability: Adobe Acrobat and Reader, Flash Player Unspecified Vulnerability
Affected: Adobe Acrobat and Reader, Flash Player
Adobe Acrobat and Reader and Adobe Flash Player allows remote attackers to execute code or cause denial-of-service (DoS).
Required Action: For Adobe Acrobat and Reader, apply updates per vendor instructions. For Adobe Flash Player, the impacted product is end-of-life and should be disconnected if still in use.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2009-1862
Remediation Due Date: 2022-06-22
CISA
Microsoft Excel Featheader Record Memory Corruption Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2009-3129 [HIGH] CWE-94 Microsoft Excel Featheader Record Memory Corruption Vulnerability
Vulnerability: Microsoft Excel Featheader Record Memory Corruption Vulnerability
Affected: Microsoft Excel
Microsoft Office Excel allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2009-3129
Remediation Due Date: 2022-03-24
No detection rules found.
Exploit-DB
NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
exploitdb·2022-08-01
NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
---
# Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)
# Date: 2022-07-26
# Exploit Auuthor: p1ckzi
# Vendor Homepage: https://github.com/kalyan02/NanoCMS
# Version: NanoCMS v0.4
# Tested on: Linux Mint 20.3
# CVE: N/A
#
# Description:
# this script uploads a php reverse shell to the target.
# NanoCMS does not sanitise the data of an authenticated user while creating
# webpages. pages are saved with .php extensions by default, allowing an
# authenticated attacker access to the underlying system:
# https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt
#!/usr/bin/env python3
import argparse
import bs4
import errno
import re
import requests
import secrets
imp
Exploit-DB
FipsCMS Light 2.1 - 'db.mdb' Remote Database Disclosure
exploitdb·2009-06-08
CVE-2009-2022 FipsCMS Light 2.1 - 'db.mdb' Remote Database Disclosure
FipsCMS Light 2.1 - 'db.mdb' Remote Database Disclosure
---
@~~=======================================~~@
====C4TEAM.ORG====ByALBAYX====C4TEAM.ORG=====
@~~=======================================~~@
@~~=Author : ByALBAYX
@~~=Website : WWW.C4TEAM.ORG
@~~===============TURKISH=================~~@
@~~=======================================~~@
@~~=Script : fipsCMS Light 2.1
@~~=S.Site : http://fipsasp.com
@~~=======================================~~@
@~~=Vul : http://c4team.org/ [Yol] /_fipsdb/db.mdb
@~~=Demo : http://demo.fipsasp.com/fipsCMS_light/_fipsdb/db.mdb
_.--"""""--._
.' '.
/ \
; C4TEAM ;
| |
| |
; ; ByALBAYX
\ (`'--, ,--'`) /
\ \ _ ) ( _ / / WWW.C4TEAM.ORG
) )(')/ \(')( (
(_ `""` /\ `""` _)
\`"-, / \ ,-"`/
`\ / `""` \ /`
|/\/\/\/\/\|
|\ /|
; |/\/\/\| ;
\`-`--`-`/
\ /
',__,'
@
Bugzilla
CVE-2022-50851 kernel: Linux kernel (vhost_vdpa): Denial of service via large memory unmap
bugzilla·2025-12-30
CVE-2022-50851 [MEDIUM] CVE-2022-50851 kernel: Linux kernel (vhost_vdpa): Denial of service via large memory unmap
CVE-2022-50851 kernel: Linux kernel (vhost_vdpa): Denial of service via large memory unmap
In the Linux kernel, the following vulnerability has been resolved:
vhost_vdpa: fix the crash in unmap a large memory
While testing in vIOMMU, sometimes Guest will unmap very large memory,
which will cause the crash. To fix this, add a new function
vhost_vdpa_general_unmap(). This function will only unmap the memory
that saved in iotlb.
Call Trace:
[ 647.820144] ------------[ cut here ]------------
[ 647.820848] kernel BUG at drivers/iommu/intel/iommu.c:1174!
[ 647.821486] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[ 647.822082] CPU: 10 PID: 1181 Comm: qemu-system-x86 Not tainted 6.0.0-rc1home_lulu_2452_lulu7_vhost+ #62
[ 647.823139] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.1
Bugzilla
CVE-2022-50571 kernel: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
bugzilla·2025-10-22
CVE-2022-50571 [LOW] CVE-2022-50571 kernel: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
CVE-2022-50571 kernel: btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
In the Linux kernel, the following vulnerability has been resolved:
btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
Now that lockdep is staying enabled through our entire CI runs I started
seeing the following stack in generic/475
------------[ cut here ]------------
WARNING: CPU: 1 PID: 2171864 at fs/btrfs/discard.c:604 btrfs_discard_update_discardable+0x98/0xb0
CPU: 1 PID: 2171864 Comm: kworker/u4:0 Not tainted 5.19.0-rc8+ #789
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
Workqueue: btrfs-cache btrfs_work_helper
RIP: 0010:btrfs_discard_update_discardable+0x98/0xb0
RSP: 0018:ffffb857c2f7bad0 EFLAGS: 00010246
RAX: 0000000000000000
Bugzilla
CVE-2022-49223 kernel: cxl/port: Hold port reference until decoder release
bugzilla·2025-02-26·CVSS 7.8
CVE-2022-49223 [HIGH] CVE-2022-49223 kernel: cxl/port: Hold port reference until decoder release
CVE-2022-49223 kernel: cxl/port: Hold port reference until decoder release
In the Linux kernel, the following vulnerability has been resolved:
cxl/port: Hold port reference until decoder release
KASAN + DEBUG_KOBJECT_RELEASE reports a potential use-after-free in
cxl_decoder_release() where it goes to reference its parent, a cxl_port,
to free its id back to port->decoder_ida.
BUG: KASAN: use-after-free in to_cxl_port+0x18/0x90 [cxl_core]
Read of size 8 at addr ffff888119270908 by task kworker/35:2/379
CPU: 35 PID: 379 Comm: kworker/35:2 Tainted: G OE 5.17.0-rc2+ #198
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
Workqueue: events kobject_delayed_cleanup
Call Trace:
dump_stack_lvl+0x59/0x73
print_address_description.constprop.0+0x1f/0x150
? to_cxl_port+0x18/
2009-06-09
Published