FLIR AX8 thermal sensor cameras version up to and including 1.46.16 is vulnerable to Directory Traversal due to an improper access restriction. An unauthenticated, remote attacker can exploit this by sending a URI that contains directory traversal characters to disclose the contents of files located outside of the server's restricted path.

**FLIR AX8 vulnerabilities.****Product description:**

The FLIR AX8 is a thermal sensor with imaging capabilities, combining thermal and visual cameras that provides continuous temperature monitoring and alarming for critical electrical and mechanical equipment.  

**Affected products:**

All FLIR AX8 thermal sensor cameras version up to and including 1.46.16.

**Summary of the 4 vulnerabilities found / What we were able to find:**

*   Vulnerability 1 - Unauthenticated OS Command Injection.  
    FLIR AX8 is affected by an unauthenticated remote command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user through the id HTTP POST parameter in res.php endpoint. A successful exploit could allow the attacker to execute arbitrary commands on the underlying operating system with the root privileges. This issue affects all FLIR AX8 thermal sensor cameras version up to and including 1.46.16.
*   Vulnerability 2 - Unauthenticated Directory Traversal.  
    FLIR AX8 is affected by a directory traversal vulnerability due to an improper access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains directory traversal characters, to disclose the contents of files located outside of the server's restricted path. This issue affects all FLIR AX8 thermal sensor cameras version up to and including 1.46.16.
*   Vulnerability 3 - Improper Access Control.  
    FLIR AX8 is affected by an insecure design vulnerability due to an improper directory access restriction. An unauthenticated, remote attacker can exploit this, by sending a URI that contains the path of the SQLite users database, and download it. A successful exploit could allow the attacker to extract usernames and hashed passwords. This issue affects all FLIR AX8 thermal sensor cameras version up to and including 1.46.16.
*   Vulnerability 4 - Reflected cross-site scripting.  
    FLIR AX8 is affected by a reflected cross-site scripting (XSS) vulnerability due to an improper input sanitization. An authenticated, remote attacker can execute arbitrary JavaScript code in the web management interface. A successful exploit could allow the attacker to insert malicious JavaScript code. This issue affects all FLIR AX8 thermal sensor cameras version up to and including 1.46.16.

**Step by Step Example (How to Reproduce and verify) the vulnerabilities:**

1.  Unauthenticated Remote Command Injection.  
    The endpoint /res.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the POST parameter id can be injected to execute any Linux command. In the example below we create a crafted query that displays the contents of the /etc/shadow file.  
     The server returns a JSON response containing the contents of the /etc/shadow file.  
    This command injection is due because there no sanitization check on the variable $_POST["id"], line 65, and can therefore take advantage of the shell_exec() function to execute unexpected arbitrary shell commands.  
    
2.  Unauthenticated Directory Traversal.  
    The endpoint /download.php can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate. The second problem is that the GET parameter file can be injected with a relative file paths and download any files in the system. In the example below we create a crafted query that download the contents of the /etc/passwd file.  
    
    The error is due to the fact that there is no sanitization of the $file_path variable, line 26, when the fopen() function is called, line 39. However a comment in the code, line 24, and the use of the function pathinfo(), line 28, suggests that the developer thought about this problem and therefore created the variable $path_parts which is sanitized. But for some reasons the developer does not use the sanitizer variable $path_parts when the function fopen() is used. Probably an oversight.  
    
3.  Improper Access Control.  
    The endpoint /FLIR/db/users.db can be called remotely without user authentication as there is no cookie verification Cookie: PHPSESSID=ID to check if the request is legitimate and let any malicious actor to download the users.db SQLite database.
    
      
    Now we can see the content of the database correctly indented.
    
4.  Reflected cross-site scripting.  
    In the settings tab, if a file with a filename that contains JavaScript code is selected via the update firmware file input the JavaScript code will be triggered and executed. In our example, we created a file call
    

<img src\=x onerror\=alert(String.fromCharCode(97,108,101,114,116,40,39,116,101,115,116,39,41,59));\>.run

  
Then, once our malicious file selected.

**Recommendations for how to fix the 4 vulnerabilities:**

*   Vulnerability 1: The variable $_POST["id"], line 65 in the file /FLIR/usr/www/res.php, must be sanitized using the function intval() and will remove any character other than integer value. escapeshellcmd() and escapeshellarg() must be also used to escapes any characters in a string that might be used to execute arbitrary commands.  
    More info:  
    https://www.php.net/intval  
    https://www.php.net/manual/en/function.escapeshellcmd  
    https://www.php.net/manual/en/function.escapeshellarg
*   Vulnerability 2: The variable $file_path, line 39 in the file /FLIR/usr/www/download.php, must be sanitized using the function pathinfo() but also use a hard coded directory path, in case you need to manage several directories set a whitelist of all allowed directories and use multiple conditions.  
    More info:  
    https://www.php.net/manual/en/function.pathinfo
*   Vulnerability 3: Define a whitelist of all directories that a user is allowed to access. This can be added to the Lighttpd server configuration file, in /etc/lighttpd.conf.  
    More info:  
    https://www.cyberciti.biz/tips/howto-lighttpd-enable-disable-directory-listing.html
*   Vulnerability 4: To protect against filename XSS attack you can use a regex that will parse the filename to leave only numbers and letters.  
    More info:  
    https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_Prevention\_Cheat\_Sheet.html

**Reference:**

https://www.flir.com/products/ax8-automation/

**Security researchers:**

*   Thomas Knudsen
*   Samy Younsi

CVE-2022-37060: FLIR-AX8.md

Browse restriction bypass vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Address Book via unspecified vectors.

Published:2022/07/20  Last Updated:2022/07/21

**Overview**

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities.

**Products Affected**

*   Cybozu Office 10.0.0 to 10.8.5

**Description**

Cybozu Office provided by Cybozu, Inc. contains multiple vulnerabilities listed below.

*   **\[CyVDB-839\]\[CyVDB-2300\]\[CyVDB-3109\] Browse restriction bypass vulnerability in Cabinet (CWE-284)** - CVE-2022-32283
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **\[CyVDB-1795\] Operation restriction bypass vulnerability in Project (CWE-285)** - CVE-2022-32544
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:N/I:P/A:N
    
    **Base Score: 4.0**
    
*   **\[CyVDB-1800\]\[CyVDB-2798\]\[CyVDB-2927\] Browse restriction bypass vulnerability in Custom App (CWE-284)** - CVE-2022-29891
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **\[CyVDB-1849\] Cross-site scripting vulnerability in the specific parameters (CWE-79)** - CVE-2022-33151
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    
*   **\[CyVDB-1851\]\[CyVDB-1856\]\[CyVDB-1873\]\[CyVDB-1944\]\[CyVDB-2173\] Cross-site scripting vulnerability in the specific parameters (CWE-79)** - CVE-2022-28715
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    
*   **\[CyVDB-1859\] Cross-site scripting vulnerability in the specific parameters (CWE-79)** - CVE-2022-30604
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    
*   **\[CyVDB-2030\] HTTP header injection vulnerability (CWE-113)** - CVE-2022-32453
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    
*   **\[CyVDB-2152\]\[CyVDB-2153\]\[CyVDB-2154\]\[CyVDB-2155\] Information disclosure vulnerability in the system configuration (CWE-200)** - CVE-2022-30693
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 5.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:N/C:P/I:N/A:N
    
    **Base Score: 5.0**
    
*   **\[CyVDB-2693\] Operation restriction bypass vulnerability in Scheduler (CWE-285)** - CVE-2022-32583
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:N/I:P/A:N
    
    **Base Score: 4.0**
    
*   **\[CyVDB-2695\]\[CyVDB-2819\] Browse restriction bypass vulnerability in Scheduler (CWE-284)** - CVE-2022-25986
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **\[CyVDB-2770\] Browse restriction bypass vulnerability in Address Book (CWE-284)** - CVE-2022-33311
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    
    **Base Score: 4.3**
    
    CVSS v2
    
    AV:N/AC:L/Au:S/C:P/I:N/A:N
    
    **Base Score: 4.0**
    
*   **\[CyVDB-2939\] Cross-site scripting vulnerability in the specific parameters (CWE-79)** - CVE-2022-29487
    
    CVSS v3
    
    CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
    
    **Base Score: 6.1**
    
    CVSS v2
    
    AV:N/AC:H/Au:N/C:N/I:P/A:N
    
    **Base Score: 2.6**
    

**Impact**

*   \[CyVDB-839\], \[CyVDB-2300\], \[CyVDB-3109\]:  
    A user who can log in to the product may obtain the data of Cabinet.
*   \[CyVDB-1795\]:  
    A user who can log in to the product may alter the data of Project.
*   \[CyVDB-1800\], \[CyVDB-2798\], \[CyVDB-2927\]:  
    A user who can log in to the product may obtain the data of Custom App.
*   \[CyVDB-1849\], \[CyVDB-1851\], \[CyVDB-1856\], \[CyVDB-1859\], \[CyVDB-1873\], \[CyVDB-1944\], \[CyVDB-2173\], \[CyVDB-2939\]:  
    An arbitrary script may be executed on a logged-in user's web browser.
*   \[CyVDB-2030\]:  
    A remote attacker may obtain and/or alter the data of the product.
*   \[CyVDB-2152\], \[CyVDB-2153\], \[CyVDB-2154\], \[CyVDB-2155\]:  
    A remote attacker may obtain the data of the product.
*   \[CyVDB-2693\]:  
    A user who can log in to the product may alter the data of Scheduler.
*   \[CyVDB-2695\], \[CyVDB-2819\]:  
    A user who can log in to the product may obtain the data of Scheduler.
*   \[CyVDB-2770\]:  
    A user who can log in to the product may obtain the data of Address Book.

**Solution**

**Update the Software**  
Update to the latest version according to the information provided by the developer.

**Vendor Status**

**References**

**JPCERT/CC Addendum**

**Vulnerability Analysis by JPCERT/CC**

**Credit**

CVE-2022-28715, CVE-2022-30604, CVE-2022-32453, CVE-2022-33151  
Masato Kinugawa reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-29891, CVE-2022-32544, CVE-2022-32583  
Yuji Tounai reported these vulnerabilities to Cybozu, Inc. and Cybozu, Inc. reported them to JPCERT/CC to notify users of the solutions through JVN.

CVE-2022-30693  
Kanta Nishitani of Ierae Security Inc. reported this vulnerability to Cybozu, Inc. and Cybozu, Inc. reported it to JPCERT/CC to notify users of its solution through JVN.

CVE-2022-29487, CVE-2022-25986, CVE-2022-32283, CVE-2022-33311  
Cybozu, Inc. reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

**Other Information**

**Update History**

2022/07/21

Information under the section \[Description\] was fixed.

CVE-2022-33311: Multiple vulnerabilities in Cybozu Office

A cross-site scripting (XSS) vulnerability in /admin/list_key.html of HestiaCP before v1.3.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Permalink

Browse files

Fix XSS issue in list\_key.html

*   Loading branch information

Kristan Kenney committed

Mar 28, 2021

1 parent 1e571d8 commit 706314c12872c7607e96a73dfc77dbbddad2875e

Showing **1 changed file** with **1 addition** and **1 deletion**.

@@ -29,7 +29,7 @@

?\>

<div class\="l-unit header animated fadeIn"\>

<div class\="l-unit\_\_col l-unit\_\_col--right"\>

<div class\="clearfix l-unit\_\_stat-col--left wide-3"\><b\><?=$data\[$key\]\['ID'\];?\></b\></div\>

<div class\="clearfix l-unit\_\_stat-col--left wide-3"\><b\><?=htmlspecialchars($data\[$key\]\['ID'\]);?\></b\></div\>

<div class\="clearfix l-unit\_\_stat-col--left text-left compact-2"\>

<div class\="l-unit-toolbar\_\_col l-unit-toolbar\_\_col--right noselect"\>

<div class\="actions-panel clearfix"\>

**0 comments on commit 706314c**

Please sign in to comment.

CVE-2021-30071: Fix XSS issue in list_key.html · hestiacp/hestiacp@706314c

NotrinosERP version 0.7 and prior is vulnerable to stored cross-site scripting. A fix is available on the `master` branch of the repository.

**NotrinosERP Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Aug 18, 2022 • Updated Aug 30, 2022

GHSA-hrx5-cv4v-4c44: NotrinosERP Cross-site Scripting vulnerability

kkFileView v4.1.0 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the urls and currentUrl parameters at /controller/OnlinePreviewController.java.

kkFileview v4.1.0 has an XSS vulnerability, which may lead to the leakage of website cookies.

kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java文件71行、86行，"urls"、"currentUrl"参数用户可控，且没有过滤特殊字符就输出到了页面

The vulnerability code is located at line 75,86 in kkFileView/server/src/main/java/cn/keking/web/controller/OnlinePreviewController.java , The 'urls' and 'currentUrl' parameter is user-controllable, and it is output to the page without filtering special characters

    @RequestMapping(value = "/picturesPreview")
    public String picturesPreview(String urls, Model model, HttpServletRequest req) throws UnsupportedEncodingException {
        String fileUrls;
        try {
            fileUrls = new String(Base64.decodeBase64(urls));
        } catch (Exception ex) {
            String errorMsg = String.format(BASE64_DECODE_ERROR_MSG, "urls");
            return otherFilePreview.notSupportedFile(model, errorMsg);
        }
        logger.info("预览文件url：{}，urls：{}", fileUrls, urls);
        // 抽取文件并返回文件列表
        String[] images = fileUrls.split("\\|");
        List<String> imgUrls = Arrays.asList(images);
        model.addAttribute("imgUrls", imgUrls);
    
        String currentUrl = req.getParameter("currentUrl");
        if (StringUtils.hasText(currentUrl)) {
            String decodedCurrentUrl = new String(Base64.decodeBase64(currentUrl));
            model.addAttribute("currentUrl", decodedCurrentUrl);
        } else {
            model.addAttribute("currentUrl", imgUrls.get(0));
        }
        return PICTURE_FILE_PREVIEW_PAGE;
    }

CVE-2022-35151: kkFileView XSS Vulnerability · Issue #366 · kekingcn/kkFileView

A cross-site scripting (XSS) vulnerability in CherryTree v0.99.30 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name text field when creating a node.

CVE-2022-35133

Clinic's Patient Management System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via update_medicine_details.php. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Packing text box under the Update Medical Details module.

Permalink

Cannot retrieve contributors at this time

**Clinic's Patient Management System v1.0 by oretnom23 has xss vulnerability**

Author：hangZhaoYue

The password for the backend login account is: admin/admin123

Vulnerability details: There is a stored xss vulnerability in "update\_medicine\_details.php" of the Medicine Detaits module of the Medicines module in the background management system

vendors: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code

Vulnerability File: pms/update\_medicine\_details.php

Vulnerability location: ip/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=,packing

\[+\] Payload: ip/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=<script>alert(/document.cookie/)</script> // Leak place ---> packing

POST /pms/update\_medicine\_details.php?medicine\_id\=1&medicine\_detail\_id\=1&packing\=%3Cscript%3Ealert(document.cookie)%3C/script%3E HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/pms/update\_medicine\_details.php?medicine\_id=1&medicine\_detail\_id=1&packing=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Cookie: \_ga=GA1.1.1382961971.1655097107; PHPSESSID=0e9b9jpdjupmvl1dk6lq6dnmfe
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 92
hidden\_id=1&medicine=1&packing=%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=

1.  After we log in to the background, click on Medicines, then click on Medicines Details

2.  Pull to the bottom to see the editing function, click the edit on the first line

3.  Fill in our payload in the packing box (<script>alert(document.cookie)</script>),Click update to save

4.After clicking save, you can see that our payload is executed, and the cookie pops up

5.And also execute our payload when we access the Medicine Detaits of the Medicines module

CVE-2022-35117: bug_report/xss-1.md at main · zhangzhaoyuela/bug_report

Cross-site Scripting (XSS) - Stored in GitHub repository notrinos/notrinoserp prior to 0.7.

CVE-2022-2871

In Moodle before 3.9.1, 3.8.4 and 3.7.7, the filter in the admin task log required extra sanitizing to prevent a reflected XSS risk.

CVE-2020-14320

Adobe Commerce versions 2.4.3-p2 (and earlier), 2.3.7-p3 (and earlier) and 2.4.4 (and earlier) are affected by a stored Cross-Site Scripting (XSS) vulnerability that could be abused by an attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field.

Security update available for Adobe Commerce | APSB22-38  

Bulletin ID

Date Published

Priority

APSB22-38

August 9, 2022  
      

3

**Summary**

Adobe has released a security update for Adobe Commerce and Magento Open Source. This update resolves critical, important and moderate vulnerabilities.  Successful exploitation could lead to arbitrary code execution, privilege escalation and security feature bypass.

**Affected Versions**

**Product**

**Version**

**Platform**

 Adobe Commerce

2.4.3-p2 and earlier versions    

All

2.3.7-p3 and earlier versions  

All  

Adobe Commerce  

2.4.4 and earlier versions    

All  

Magento Open Source  

2.4.3-p2 and earlier versions         

All

2.3.7-p3 and earlier versions

All

Magento Open Source  

2.4.4 and earlier versions    

All  

**Solution**

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product

Updated Version

Platform

Priority Rating

Installation Instructions

Adobe Commerce  

2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5  

All  

1  

2.4.x release notes

2.3.x release notes

Magento Open Source   

2.3.7-p4, 2.4.3-p3, 2.4.4-p1, 2.4.5  

All  

1  

**Vulnerability Details**

Vulnerability Category

Vulnerability Impact

Severity

Authentication required to exploit?

Exploit requires admin privileges?  

**CVSS base score**  

**CVSS vector**  

Magento Bug ID

CVE number(s)

XML Injection (aka Blind XPath Injection) (CWE-91)  

Arbitrary code execution  

Critical

Yes

Yes

9.1

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H  

PRODSECBUG-3095  

CVE-2022-34253  

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)  

Arbitrary code execution  

Critical

Yes

No

8.5

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N  

PRODSECBUG-3081  

CVE-2022-34254  

Improper Input Validation (CWE-20)  

Privilege escalation  

Critical

Yes

No 

8.3

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L  

PRODSECBUG-3082  

CVE-2022-34255  

Improper Authorization (CWE-285)  

Privilege escalation  

Critical

No

No

8.2

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N  

PRODSECBUG-3093  

CVE-2022-34256  

Cross-site Scripting (Stored XSS) (CWE-79)  

Arbitrary code execution  

Important

No

No

6.1

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  

PRODSECBUG-3079  

CVE-2022-34257  

Cross-site Scripting (Stored XSS) (CWE-79)  

Arbitrary code execution  

Moderate

Yes

Yes

3.5

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N  

PRODSECBUG-3080  

CVE-2022-34258  

Improper Access Control (CWE-284)  

Security feature bypass  

Important

No

No

5.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L  

PRODSECBUG-3180  

CVE-2022-34259  

**Acknowledgements**

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

*   zb3 (zb3) -- CVE-2022-34253, CVE-2022-34255, CVE-2022-34256  
    
*   Edgar Boda-Majer (eboda) - CVE-2022-34254, CVE-2022-34257  
    
*   Salman Khan (salmanbabuzai) - CVE-2022-34258  
    
*   Axel Flamcourt (axfla) - CVE-2022-34259  
    

**Revisions**

August 12, 2022: Updated values in "Authentication required to exploit" and "Exploit requires admin privileges."

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.

Tag

#xss