Exploit
CVE-2022-4864

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)

Published: Dec 30, 2022 / Updated: 23mo ago

010
CVSS 5.4EPSS 0.05%Medium
CVE info copied to clipboard

Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2022-4864. See article

Dec 30, 2022 at 10:28 PM / cve.report
EPSS

EPSS Score was set to: 0.05% (Percentile: 12.2%)

Sep 21, 2023 at 8:38 PM
Static CVE Timeline Graph

Affected Systems

Froxlor/froxlor
+null more

Exploits

https://huntr.dev/bounties/b7140709-8f84-4f19-9463-78669fa2175b
+null more

Patches

Github Advisory
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-137: Parameter Injection
+null more

Vendor Advisory

Froxlor vulnerable to Argument Injection
GitHub Security Advisory: GHSA-3v7m-2jrh-vc93 Release Date: 2022-12-31 Update Date: 2023-01-03 Severity: Moderate CVE-2022-4864 Package Information Package: froxlor/froxlor Affected Versions: >= 2.0.0-beta0, Patched Versions: 2.0.0-beta1 Description Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. References https://nvd.nist.gov/vuln/detail/CVE-2022-4864 Froxlor/Froxlor@f2485ec https://huntr.dev/bounties/b7140709-8f84-4f19-9463-78669fa2175b

References

Vulnerability Summary for the Week of January 2, 2023
Original release date: January 9, 2023 Last revised: January 10, 2023 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info synology -- vpn_plus_server Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors. 2023-01-03 10 CVE-2022-43931 MISC printer_project -- printer A vulnerability was found in Exciting Printer and classified as critical. This issue affects some unknown processing of the file lib/printer/jobs/prepare_page.rb of the component Argument Handler. The manipulation of the argument URL leads to command injection. The name of the patch is 5f8c715d6e2cc000f621a6833f0a86a673462136. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217139.

News

CVE-2022-4864
Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. CVE-2022-4864 originally published on CyberSecurityBoard
US-CERT Bulletin (SB23-009):Vulnerability Summary for the Week of January 2, 2023
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA.
Vulnerability Summary for the Week of January 2, 2023
Original release date: January 9, 2023 Last revised: January 10, 2023 High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info synology -- vpn_plus_server Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors. 2023-01-03 10 CVE-2022-43931 MISC printer_project -- printer A vulnerability was found in Exciting Printer and classified as critical. This issue affects some unknown processing of the file lib/printer/jobs/prepare_page.rb of the component Argument Handler. The manipulation of the argument URL leads to command injection. The name of the patch is 5f8c715d6e2cc000f621a6833f0a86a673462136. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-217139.
Froxlor vulnerable to Argument Injection
GitHub Security Advisory: GHSA-3v7m-2jrh-vc93 Release Date: 2022-12-31 Update Date: 2023-01-03 Severity: Moderate CVE-2022-4864 Package Information Package: froxlor/froxlor Affected Versions: >= 2.0.0-beta0, Patched Versions: 2.0.0-beta1 Description Argument Injection in GitHub repository froxlor/froxlor prior to 2.0.0-beta1. References https://nvd.nist.gov/vuln/detail/CVE-2022-4864 Froxlor/Froxlor@f2485ec https://huntr.dev/bounties/b7140709-8f84-4f19-9463-78669fa2175b
CVE-2022-4864 | froxlor up to 1.x argument injection
A vulnerability has been found in froxlor up to 1.x and classified as critical . This vulnerability affects unknown code. The manipulation leads to argument injection. This vulnerability was named CVE-2022-4864 . Access to the local network is required for this attack. There is no exploit available. It is recommended to upgrade the affected component.
See 4 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:Required
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI