CVE-2022-46538
published 2022-12-20CVE-2022-46538: Tenda F1203 V2.0.1.6 was discovered to contain a command injection vulnerability via the mac parameter at /goform/WriteFacMac.
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.45%
82.3th percentile
Tenda F1203 V2.0.1.6 was discovered to contain a command injection vulnerability via the mac parameter at /goform/WriteFacMac.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tenda | f1203_firmware | — | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jettison parser crash by stackoverflow
ghsa·2023-08-01·CVSS 7.5
CVE-2022-40149 [MEDIUM] CWE-121 Jettison parser crash by stackoverflow
Jettison parser crash by stackoverflow
Those using Jettison to parse untrusted XML or JSON data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
### References
- https://nvd.nist.gov/vuln/detail/CVE-2022-40149
- https://github.com/jettison-json/jettison/issues/45
- https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46538
- https://github.com/jettison-json/jettison/pull/49/files
- https://github.com/jettison-json/jettison/releases/tag/jettison-1.5.1
- https://lists.debian.org/debian-lts-announce/2022/11/msg00011.html
- https://www.debian.org/security/2023/dsa-5312
GHSA
GHSA-rmcr-gcf2-8pqc: Tenda F1203 V2
ghsa_unreviewed·2022-12-20
CVE-2022-46538 [CRITICAL] CWE-77 GHSA-rmcr-gcf2-8pqc: Tenda F1203 V2
Tenda F1203 V2.0.1.6 was discovered to contain a command injection vulnerability via the mac parameter at /goform/WriteFacMac.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-12-20
Published