CVE-2022-1064
published 2022-03-25CVE-2022-1064: SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1.
PriorityP348high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.13%
62.5th percentile
SQL injection through marking blog comments on bulk as spam in GitHub repository forkcms/forkcms prior to 5.11.1.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| fork-cms | fork_cms | < 5.11.1 | 5.11.1 |
| forkcms | forkcms | >= 0 < 5.11.1 | 5.11.1 |
| forkcms | forkcms_forkcms | >= unspecified < 5.11.1 | 5.11.1 |
| snyk | snyk-cocoapods-plugin | >= 0 < 2.5.3 | 2.5.3 |
| snyk | snyk-hex-plugin | >= 0 < 1.1.6 | 1.1.6 |
| snyk | snyk_cli | >= 0 < 1.1064.0 | 1.1064.0 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.0CRITICALCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
ghsa7.8HIGH
cisa7.8HIGH
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
snyk Code Injection vulnerability
ghsa·2023-07-06·CVSS 7.8
CVE-2022-24441 [HIGH] CWE-78 snyk Code Injection vulnerability
snyk Code Injection vulnerability
The package snyk before 1.1064.0 is vulnerable to Code Injection when analyzing a project. An attacker who can convince a user to scan a malicious project can include commands in a build file such as build.gradle or gradle-wrapper.jar, which will be executed with the privileges of the application. This vulnerability may be triggered when running the the CLI tool directly, or when running a scan with one of the IDE plugins that invoke the Snyk CLI. Successful exploitation of this issue would likely require some level of social engineering - to coerce an untrusted project to be downloaded and analyzed via the Snyk CLI or opened in an IDE where a Snyk IDE plugin is installed and enabled. Additionally, if the IDE has a Trust feature then the target folder mus
GHSA
Snyk plugins vulnerable to Command Injection
ghsa·2022-11-30·CVSS 7.8
CVE-2022-22984 [HIGH] CWE-78 Snyk plugins vulnerable to Command Injection
Snyk plugins vulnerable to Command Injection
The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted
GHSA
SQL Injection in Fork CMS
ghsa·2022-03-26
CVE-2022-1064 [HIGH] CWE-89 SQL Injection in Fork CMS
SQL Injection in Fork CMS
Fork CMS is vulnerable to SQL injection through marking blog comments on bulk as spam in versions prior to 5.11.1.
OSV
SQL Injection in Fork CMS
osv·2022-03-26
CVE-2022-1064 [HIGH] SQL Injection in Fork CMS
SQL Injection in Fork CMS
Fork CMS is vulnerable to SQL injection through marking blog comments on bulk as spam in versions prior to 5.11.1.
Red Hat
snyk: snyk-hex-plugin: command injection
vendor_redhat·2022-11-30·CVSS 5.0
CVE-2022-22984 [MEDIUM] CWE-77 snyk: snyk-hex-plugin: command injection
snyk: snyk-hex-plugin: command injection
The package snyk before 1.1064.0; the package snyk-mvn-plugin before 2.31.3; the package snyk-gradle-plugin before 3.24.5; the package @snyk/snyk-cocoapods-plugin before 2.5.3; the package snyk-sbt-plugin before 2.16.2; the package snyk-python-plugin before 1.24.2; the package snyk-docker-plugin before 5.6.5; the package @snyk/snyk-hex-plugin before 1.1.6 are vulnerable to Command Injection due to an incomplete fix for [CVE-2022-40764](https://security.snyk.io/vuln/SNYK-JS-SNYK-3037342). A successful exploit allows attackers to run arbitrary commands on the host system where the Snyk CLI is installed by passing in crafted command line flags. In order to exploit this vulnerability, a user would have to execute the snyk test command on untrusted file
CISA
Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability
cisa·2022-03-15·CVSS 7.8
CVE-2019-1064 [HIGH] CWE-59 Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability
Vulnerability: Microsoft Windows AppX Deployment Service (AppXSVC) Privilege Escalation Vulnerability
Affected: Microsoft Windows
A privilege escalation vulnerability exists when Windows AppXSVC improperly handles hard links. An attacker who successfully exploited this vulnerability could run processes in an elevated context.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-1064
Remediation Due Date: 2022-04-05
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-03-25
Published