{"vulnerability": "CVE-2022-2347", "sightings": [{"uuid": "864dd576-920c-4a19-94af-1de51a4588d4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2022-23477", "type": "seen", "source": "https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2022", "content": "", "creation_timestamp": "2022-12-12T09:00:28.000000Z"}, {"uuid": "4cb377e7-2409-4325-8c59-ff58e06b6c0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23475", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/12890", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23475\n\ud83d\udd25 CVSS Score: 8.8 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)\n\ud83d\udd39 Description: daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated  by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.\n\n\n\n\ud83d\udccf Published: 2022-12-06T19:13:36.217Z\n\ud83d\udccf Modified: 2025-04-22T15:58:29.584Z\n\ud83d\udd17 References:\n1. https://github.com/lirantal/daloradius/security/advisories/GHSA-c9xx-6mvw-9v84\n2. https://github.com/lirantal/daloradius/commit/ec3b4a419e20540cf28ce60e48998b893e3f1dea", "creation_timestamp": "2025-04-22T16:03:36.000000Z"}, {"uuid": "ce0a69d4-3555-4836-bc23-29cb046c1bf5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2022-23478", "type": "seen", "source": "https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2022", "content": "", "creation_timestamp": "2022-12-12T09:00:28.000000Z"}, {"uuid": "4821d8e3-6d48-4c51-9e55-5d00a7618258", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "86ecb4e1-bb32-44d5-9f39-8a4673af8385", "vulnerability": "CVE-2022-23479", "type": "seen", "source": "https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus_24/2022", "content": "", "creation_timestamp": "2022-12-12T09:00:28.000000Z"}, {"uuid": "279faf25-c90a-49a7-9cb0-f1adcf3735b8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "published-proof-of-concept", "source": "https://t.me/cKure/10626", "content": "\u25a0\u25a0\u25a0\u25a1\u25a1 Technical Advisory \u2013 U-Boot \u2013 Unchecked Download Size and Direction in USB DFU (CVE-2022-2347).\n\nhttps://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347/", "creation_timestamp": "2023-01-22T09:02:14.000000Z"}, {"uuid": "217c9e1c-c2fe-4329-b716-8161a9a1643b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "published-proof-of-concept", "source": "https://t.me/freeosint/1172", "content": "\ud83d\udce1U-boot \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u0432 Starlink \u0432 \u043a\u0430\u0447\u0435\u0441\u0442\u0432\u0435 \u0433\u043b\u0430\u0432\u043d\u043e\u0433\u043e \u0431\u0443\u0442\u043b\u043e\u0430\u0434\u0435\u0440\u0430 \u0442\u0435\u0440\u043c\u0438\u043d\u0430\u043b\u0430 (\u043f\u043e \u043d\u0435\u043a\u043e\u0442\u043e\u0440\u044b\u043c \u043f\u043e\u0441\u0442\u0430\u043c \u0432 \u043a\u0430\u043d\u0430\u043b\u0435 \u0443\u0436\u0435 \u0441\u043a\u043e\u0440\u0435\u0435 \u0432\u0441\u0435\u0433\u043e \u0437\u043d\u0430\u0435\u0442\u0435, \u0438\u043b\u0438 \u0440\u0430\u043d\u0435\u0435 \u0437\u043d\u0430\u043b\u0438), \u0435\u0441\u043b\u0438 \u043a\u0442\u043e \u0432\u0434\u0440\u0443\u0433 \u0437\u0430\u0445\u043e\u0447\u0435\u0442 \u0437\u0430\u043d\u044f\u0442\u044c\u0441\u044f \u0435\u0433\u043e \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u043d\u0438\u0435\u043c,  \u043f\u0440\u0438\u043a\u043b\u0430\u0434\u044b\u0432\u0430\u044e \u043d\u0438\u0436\u0435 \u0441\u0441\u044b\u043b\u043a\u0438 \u0434\u043b\u044f \u0443\u043f\u0440\u043e\u0449\u0435\u043d\u0438\u044f \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430\n\n\ud83d\udce1U-boot is used in Starlink as the main bootloader in terminal (according to some posts in the channel, you probably already know, or previously knew), if someone suddenly wants to do his research, I attach the links below to simplify the process.\n\n\ud83d\udcbeU-Boot Source Tree\n\ud83d\udcbeu-boot from starlink wi-fi gen2 \n\ud83d\udcbeU-Boot in OpenWrt\n\ud83d\udcbeu-boot docs \n\ud83d\udcbeThe u-booting securely\n\ud83d\udcbeU-Boot Secure Boot\n\ud83d\udcbeU-Boot Verified Boot vulnerability: CVE-2020-10648\n\ud83d\udcbeAnalysis and reverse-engineering of the original Starlink router(helpful information about u-boot in Starlink)\n\ud83d\udcbeReversing embedded device bootloader (U-Boot) - p.1\n\ud83d\udcbeReversing embedded device bootloader (U-Boot) - p.2\n\ud83d\udcbeDas U-Boot Verified Boot Bypass\n\ud83d\udcbeRecovering Firmware Through U-boot\n\ud83d\udcbeBushwhacking your way around a bootloader\n\ud83d\udcbeMultiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)\n\ud83d\udcbeCVE-2022-2347\n\ud83d\udcbedepthcharge is an U-Boot hacking toolkit for security researchers and tinkerers", "creation_timestamp": "2022-11-05T09:45:10.000000Z"}, {"uuid": "184d64a0-b8bf-418b-b2eb-ec431536c0be", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "published-proof-of-concept", "source": "https://t.me/orderofsixangles/1787", "content": "Technical Advisory \u2013 U-Boot \u2013 Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)\n\nhttps://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347/", "creation_timestamp": "2023-01-21T12:39:40.000000Z"}, {"uuid": "9771896c-638e-4a76-82b0-d0c8e92b1c99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "seen", "source": "https://t.me/ctinow/88408", "content": "Technical Advisory \u2013 U-Boot \u2013 Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)\n\nhttps://ift.tt/HcgkhjU", "creation_timestamp": "2023-01-21T18:22:10.000000Z"}, {"uuid": "a2e16189-5913-4867-87fa-e643655ccfe9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23476", "type": "seen", "source": "https://t.me/cibsecurity/54149", "content": "\u203c CVE-2022-23476 \u203c\n\nNokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-08T07:12:14.000000Z"}, {"uuid": "b347151d-6c7d-4e16-832e-2cab868363b2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23475", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/1706", "content": "#exploit\n1. CVE-2022-23475:\ndaloRADIUS Vulnerablity\nhttps://securityonline.info/cve-2022-23475-account-take-over-flaw-in-open-source-radius-web-management-app\n\n2. Django RCE(DJRCE) exploitation with leaked SECRET_KEY variable\nhttps://github.com/0xuf/DJRCE\n\n3. Exploit collection for some Service DCOM Object LPE vulnerability (by SeImpersonatePrivilege abuse)\nhttps://github.com/zcgonvh/DCOMPotato", "creation_timestamp": "2022-12-14T19:53:35.000000Z"}, {"uuid": "47d10f14-7353-4eff-84e3-adbf2615e847", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/2408", "content": "#exploit\n1. A Step-By-Step Introduction To The Use Of ROP Gadgets To Bypass DEP\nhttps://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadgets-to-bypass-dep\n\n2. b3typer - Simple typer bug\nhttps://blog.bi0s.in/2023/01/23/Pwn/bi0sCTF22-b3typer\n\n3. CVE-2022-2347:\nU-Boot - Unchecked Download Size/Direction in USB DFU\nhttps://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347", "creation_timestamp": "2023-01-24T14:44:40.000000Z"}, {"uuid": "4f497ad7-a402-473d-951c-2eec51b30b16", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23473", "type": "seen", "source": "https://t.me/cibsecurity/54382", "content": "\u203c CVE-2022-23473 \u203c\n\nTuleap is an Open Source Suite to improve management of software developments and collaboration. In versions prior to 14.2.99.148, Authorizations are not properly verified when accessing MediaWiki standalone resources. Users with read only permissions for pages are able to also edit them. This only affects the MediaWiki standalone plugin. This issue is patched in versions Tuleap Community Edition 14.2.99.148, Tuleap Enterprise Edition 14.2-5, and Tuleap Enterprise Edition 14.1-6.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-13T12:32:29.000000Z"}, {"uuid": "72eab674-ec8f-4a28-9eae-d7b188301e94", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23478", "type": "seen", "source": "https://t.me/cibsecurity/54234", "content": "\u203c CVE-2022-23478 \u203c\n\nxrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a Out of Bound Write in xrdp_mm_trans_process_drdynvc_channel_open() function. There are no known workarounds for this issue. Users are advised to upgrade.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-09T20:18:45.000000Z"}, {"uuid": "2cee3c34-afc8-4174-8166-75f629b88978", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23479", "type": "seen", "source": "https://t.me/cibsecurity/54224", "content": "\u203c CVE-2022-23479 \u203c\n\nxrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in xrdp_mm_chan_data_in() function. There are no known workarounds for this issue. Users are advised to upgrade.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-09T20:18:32.000000Z"}, {"uuid": "b7c58376-9c03-4f2c-b72f-2a8e6ed3699f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23474", "type": "seen", "source": "https://t.me/cibsecurity/54607", "content": "\u203c CVE-2022-23474 \u203c\n\nEditor.js is a block-style editor with clean JSON output. Versions prior to 2.26.0 are vulnerable to Code Injection via pasted input. The processHTML method passes pasted input into wrapper\u00e2\u20ac\u2122s innerHTML. This issue is patched in version 2.26.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-15T22:23:35.000000Z"}, {"uuid": "287a39ca-3561-4818-a613-2678fb90a809", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23477", "type": "seen", "source": "https://t.me/cibsecurity/54241", "content": "\u203c CVE-2022-23477 \u203c\n\nxrdp is an open source project which provides a graphical login to remote machines using Microsoft Remote Desktop Protocol (RDP). xrdp < v0.9.21 contain a buffer over flow in audin_send_open() function. There are no known workarounds for this issue. Users are advised to upgrade.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-09T20:18:56.000000Z"}, {"uuid": "8bece26f-35c7-47d6-94c0-816f41395383", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23475", "type": "seen", "source": "https://t.me/cibsecurity/54098", "content": "\u203c CVE-2022-23475 \u203c\n\ndaloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting (XSS) and cross site request forgery (CSRF) vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in the DOM on line 116. This issue has been addressed in commit `ec3b4a419e`. Users are advised to manually apply the commit in order to mitigate this issue. Users may also mitigate this issue with in two parts 1) The CSRF vulnerability can be mitigated by making the daloRadius session cookie to samesite=Lax or by the implimentation of a CSRF token in all forms. 2) The XSS vulnerability may be mitigated by escaping it or by introducing a Content-Security policy.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-06T22:41:06.000000Z"}, {"uuid": "e3b6cf42-eae2-4923-b91f-ae31b3e7ad0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23472", "type": "seen", "source": "https://t.me/cibsecurity/54080", "content": "\u203c CVE-2022-23472 \u203c\n\nPasseo is an open source python password generator. Versions prior to 1.0.5 rely on the python `random` library for random value selection. The python `random` library warns that it should not be used for security purposes due to its reliance on a non-cryptographically secure random number generator. As a result a motivated attacker may be able to guess generated passwords. This issue has been addressed in version 1.0.5. Users are advised to upgrade. There are no known workarounds for this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-06T20:40:59.000000Z"}, {"uuid": "4acfdd6d-5cc0-4152-b18b-ad8a6dcc693f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23470", "type": "seen", "source": "https://t.me/cibsecurity/54075", "content": "\u203c CVE-2022-23470 \u203c\n\nGalaxy is an open-source platform for data analysis. An arbitrary file read exists in Galaxy 22.01 and Galaxy 22.05 due to the switch to Gunicorn, which can be used to read any file accessible to the operating system user under which Galaxy is running. This vulnerability affects Galaxy 22.01 and higher, after the switch to gunicorn, which serve static contents directly. Additionally, the vulnerability is mitigated when using Nginx or Apache to serve /static/* contents, instead of Galaxy's internal middleware. This issue has been patched in commit `e5e6bda4f` and will be included in future releases. Users are advised to manually patch their installations. There are no known workarounds for this vulnerability.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-06T20:40:53.000000Z"}, {"uuid": "77c913ef-39dc-4a7c-ab73-2b76a84d0d59", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23475", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/7333", "content": "#exploit\n1. CVE-2022-23475:\ndaloRADIUS Vulnerablity\nhttps://securityonline.info/cve-2022-23475-account-take-over-flaw-in-open-source-radius-web-management-app\n\n2. Django RCE(DJRCE) exploitation with leaked SECRET_KEY variable\nhttps://github.com/0xuf/DJRCE\n\n3. Exploit collection for some Service DCOM Object LPE vulnerability (by SeImpersonatePrivilege abuse)\nhttps://github.com/zcgonvh/DCOMPotato", "creation_timestamp": "2022-12-10T13:08:01.000000Z"}, {"uuid": "dcec96fe-bf47-410a-bf0b-d87e3edf19c9", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "seen", "source": "https://t.me/cibsecurity/50314", "content": "\u203c CVE-2022-2347 \u203c\n\nThere exists an unchecked length field in UBoot. The U-Boot DFU implementation does not bound the length field in USB DFU download setup packets, and it does not verify that the transfer direction corresponds to the specified command. Consequently, if a physical attacker crafts a USB DFU download setup packet with a `wLength` greater than 4096 bytes, they can write beyond the heap-allocated request buffer.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-09-23T16:13:24.000000Z"}, {"uuid": "8209b7a2-e6b9-49e0-b52e-5b2b69d080b5", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-2347", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/7610", "content": "#exploit\n1. A Step-By-Step Introduction To The Use Of ROP Gadgets To Bypass DEP\nhttps://cybergeeks.tech/a-step-by-step-introduction-to-the-use-of-rop-gadgets-to-bypass-dep\n\n2. b3typer - Simple typer bug\nhttps://blog.bi0s.in/2023/01/23/Pwn/bi0sCTF22-b3typer\n\n3. CVE-2022-2347:\nU-Boot - Unchecked Download Size/Direction in USB DFU\nhttps://research.nccgroup.com/2023/01/20/technical-advisory-u-boot-unchecked-download-size-and-direction-in-usb-dfu-cve-2022-2347", "creation_timestamp": "2023-01-24T11:01:01.000000Z"}]}