This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.
There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.
We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.
If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!
1. CVE-2020-4463
IBM Maximo Asset Management 7.6.0.1 and 7.6.0.2 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 181484.
https://nvd.nist.gov/vuln/detail/CVE-2020-4463
2. CVE-2021-38003
Inappropriate implementation in V8 in Google Chrome prior to 95.0.4638.69 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
https://nvd.nist.gov/vuln/detail/CVE-2021-38003
3. CVE-2022-41049
Windows Mark of the Web Security Feature Bypass Vulnerability. This CVE ID is unique from CVE-2022-41049.
https://nvd.nist.gov/vuln/detail/CVE-2022-41049
4. CVE-2022-23467
OpenRazer is an open source driver and user-space daemon to control Razer device lighting and other features on GNU/Linux. Using a modified USB device an attacker can leak stack addresses of the `razer_attr_read_dpi_stages`, potentially bypassing KASLR. To exploit this vulnerability an attacker would need to access to a users keyboard or mouse or would need to convince a user to use a modified device. The issue has been patched in v3.5.1. Users are advised to upgrade and should be reminded not to plug in unknown USB devices.
https://nvd.nist.gov/vuln/detail/CVE-2022-23467
5. CVE-2022-26485
N/A
https://nvd.nist.gov/vuln/detail/CVE-2022-26485
6. CVE-2021-42298
N/A
https://nvd.nist.gov/vuln/detail/CVE-2021-42298
7. CVE-2022-23093
N/A
https://nvd.nist.gov/vuln/detail/CVE-2022-23093
8. CVE-2022-30206
A heap-based buffer overflow flaw was found in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length. An unprivileged (in case of unprivileged user namespaces enabled, otherwise needs namespaced CAP_SYS_ADMIN privilege) local user able to open a filesystem that does not support the Filesystem Context API (and thus fallbacks to legacy handling) could use this flaw to escalate their privileges on the system.
https://nvd.nist.gov/vuln/detail/CVE-2022-30206
9. CVE-2022-38599
Teleport v3.2.2, Teleport v3.5.6-rc6, and Teleport v3.6.3-b2 was discovered to contain an information leak via the /user/get-role-list web interface.
https://nvd.nist.gov/vuln/detail/CVE-2022-38599
10. CVE-2022-3328
N/A
https://nvd.nist.gov/vuln/detail/CVE-2022-3328