{"vulnerability": "CVE-2022-2354", "sightings": [{"uuid": "699b2658-2405-455e-a314-7df30cc8e797", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23546", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7070", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23546\n\ud83d\udd25 CVSS Score: 5.5 (cvssV3_1, Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)\n\ud83d\udd39 Description: In version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.\n\ud83d\udccf Published: 2023-01-05T18:10:08.048Z\n\ud83d\udccf Modified: 2025-03-10T21:32:03.679Z\n\ud83d\udd17 References:\n1. https://github.com/discourse/discourse/security/advisories/GHSA-q9jp-xv4g-328f\n2. https://github.com/discourse/discourse/commit/cf862e736565c6fa905c12b5dbe63d0bd056efb8", "creation_timestamp": "2025-03-10T21:39:27.000000Z"}, {"uuid": "611245ed-f1d1-48a6-b6f3-e5988a94e981", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23548", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7067", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23548\n\ud83d\udd25 CVSS Score: 6.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)\n\ud83d\udd39 Description: Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to regular expression denial of service (ReDoS) attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.\n\ud83d\udccf Published: 2023-01-05T00:00:00.000Z\n\ud83d\udccf Modified: 2025-03-10T21:32:22.096Z\n\ud83d\udd17 References:\n1. https://github.com/discourse/discourse/security/advisories/GHSA-7rw2-f4x7-7pxf\n2. https://github.com/discourse/discourse/pull/19737", "creation_timestamp": "2025-03-10T21:39:21.000000Z"}, {"uuid": "97a94d5b-83aa-4a8e-9b74-95cb06343a14", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23549", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/7068", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23549\n\ud83d\udd25 CVSS Score: 5.7 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H)\n\ud83d\udd39 Description: Discourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.\n\ud83d\udccf Published: 2023-01-05T00:00:00.000Z\n\ud83d\udccf Modified: 2025-03-10T21:32:15.478Z\n\ud83d\udd17 References:\n1. https://github.com/discourse/discourse/commit/bf6b08670a927cc80bb090b7a2e710b4b554e6a8\n2. https://github.com/discourse/discourse/security/advisories/GHSA-p47g-v5wr-p4xp", "creation_timestamp": "2025-03-10T21:39:22.000000Z"}, {"uuid": "57ab7391-5b78-4a45-a381-f44beb08eebc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23547", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/11751", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23547\n\ud83d\udd25 CVSS Score: 6.5 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:H)\n\ud83d\udd39 Description: PJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.\n\ud83d\udccf Published: 2022-12-23T14:00:22.817Z\n\ud83d\udccf Modified: 2025-04-15T03:12:28.456Z\n\ud83d\udd17 References:\n1. https://github.com/pjsip/pjproject/security/advisories/GHSA-cxwq-5g9x-x7fr\n2. https://github.com/pjsip/pjproject/security/advisories/GHSA-9pfh-r8x4-w26w\n3. https://github.com/pjsip/pjproject/commit/bc4812d31a67d5e2f973fbfaf950d6118226cf36\n4. https://lists.debian.org/debian-lts-announce/2023/08/msg00038.html", "creation_timestamp": "2025-04-15T03:54:32.000000Z"}, {"uuid": "411562dc-dd08-4a71-8b1c-fc03d52e1fb4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23542", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/12066", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-23542\n\ud83d\udd25 CVSS Score: 7.7 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L)\n\ud83d\udd39 Description: OpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n\n\ud83d\udccf Published: 2022-12-20T20:15:16.628Z\n\ud83d\udccf Modified: 2025-04-16T14:43:38.712Z\n\ud83d\udd17 References:\n1. https://github.com/openfga/openfga/security/advisories/GHSA-m3q4-7qmj-657m\n2. https://github.com/openfga/openfga/pull/422\n3. https://github.com/openfga/openfga/releases/tag/v0.3.1", "creation_timestamp": "2025-04-16T14:56:36.000000Z"}, {"uuid": "f4f6f89c-17cb-4f4e-925b-543d5995fc83", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23547", "type": "seen", "source": "https://t.me/cibsecurity/55253", "content": "\u203c CVE-2022-23547 \u203c\n\nPJSIP is a free and open source multimedia communication library written in C language implementing standard based protocols such as SIP, SDP, RTP, STUN, TURN, and ICE. This issue is similar to GHSA-9pfh-r8x4-w26w. Possible buffer overread when parsing a certain STUN message. The vulnerability affects applications that uses STUN including PJNATH and PJSUA-LIB. The patch is available as commit in the master branch.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-23T18:14:45.000000Z"}, {"uuid": "214a843a-6674-460f-9a36-f0cfad61c694", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23548", "type": "seen", "source": "https://t.me/cibsecurity/56009", "content": "\u203c CVE-2022-23548 \u203c\n\nDiscourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta16 on the `beta` and `tests-passed` branches, parsing posts can be susceptible to XSS attacks. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-05T22:19:26.000000Z"}, {"uuid": "e9c17d60-b2e8-495f-82fe-6d8a77228bc0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23546", "type": "seen", "source": "https://t.me/cibsecurity/56007", "content": "\u203c CVE-2022-23546 \u203c\n\nIn version 2.9.0.beta14 of Discourse, an open-source discussion platform, maliciously embedded urls can leak an admin's digest of recent topics, possibly exposing private information. A patch is available for version 2.9.0.beta15. There are no known workarounds for this issue.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-05T22:19:20.000000Z"}, {"uuid": "9c9a69cf-a7f6-40f4-9ba6-b676e221b364", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23549", "type": "seen", "source": "https://t.me/cibsecurity/56003", "content": "\u203c CVE-2022-23549 \u203c\n\nDiscourse is an option source discussion platform. Prior to version 2.8.14 on the `stable` branch and version 2.9.0.beta15 on the `beta` and `tests-passed` branches, users can create posts with raw body longer than the `max_length` site setting by including html comments that are not counted toward the character limit. This issue is patched in versions 2.8.14 and 2.9.0.beta16. There are no known workarounds.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2023-01-05T22:19:16.000000Z"}, {"uuid": "bba20221-95e5-441b-9abb-e0c7ab99bbe4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23541", "type": "seen", "source": "https://t.me/cibsecurity/55125", "content": "\u203c CVE-2022-23541 \u203c\n\njsonwebtoken is an implementation of JSON Web Tokens. Versions `&lt;= 8.5.1` of `jsonwebtoken` library can be misconfigured so that passing a poorly implemented key retrieval function referring to the `secretOrPublicKey` argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-23T06:15:26.000000Z"}, {"uuid": "c0ccb7b6-dbf0-4ed9-a7fe-0474a7a221e7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23542", "type": "seen", "source": "https://t.me/cibsecurity/55030", "content": "\u203c CVE-2022-23542 \u203c\n\nOpenFGA is an authorization/permission engine built for developers and inspired by Google Zanzibar. During an internal security assessment, it was discovered that OpenFGA version 0.3.0 is vulnerable to authorization bypass under certain conditions. This issue has been patched in version 0.3.1 and is backward compatible.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-21T00:12:48.000000Z"}, {"uuid": "4f599f9d-e2f1-400a-9eba-c9f9e9bea60e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-23543", "type": "seen", "source": "https://t.me/cibsecurity/54935", "content": "\u203c CVE-2022-23543 \u203c\n\nSilverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert(\"xss\")`) to the `'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-20T00:10:48.000000Z"}]}