CVE-2022-3133 OS Command Injection in GitHub repository jgraph/drawio prior to 20.3.0.

A remote attacker could exploit this flaw to execute arbitrary commands with root permissions via the API endpoint.

CVE-2019-5404 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-Frame-Options response could be used to cause an XSS attack.

CVE-2019-5403 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.

CVE-2019-5402 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.

CVE-2019-5401 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.

CVE-2019-5400 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X-XSS-Protection response could be used to cause an XSS attack.

CVE-2019-5399 An issue was discovered with Graphite 1.2.0 prior to 1.2.18, where a malformed X

Crash on Triggering certain Graphite API Endpoints

The following Graphite API endpoints are known to crash:

- /graphite/service/storage/request
- /graphite/service/storage/update
- /graphite/service/storage/delete
- /graphite/service/store
- /graphite/service/query

A remote attacker could exploit these crashes to execute arbitrary commands with root permissions via the API endpoint.

Timeline

Published on: 09/09/2022 18:15:00 UTC
Last modified on: 09/15/2022 15:30:00 UTC

References