{"vulnerability": "CVE-2022-4400", "sightings": [{"uuid": "f0572e63-2c1f-44e8-81c4-372cbac59aa8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44007", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/13933", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-44007\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: An issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation.\n\ud83d\udccf Published: 2022-11-16T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-29T20:31:25.154Z\n\ud83d\udd17 References:\n1. https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037\n2. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-036.txt", "creation_timestamp": "2025-04-29T21:13:39.000000Z"}, {"uuid": "b2967e89-b0f9-4817-8b35-7b6d9be87c75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44001", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/13834", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-44001\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: An issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed.\n\ud83d\udccf Published: 2022-11-17T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-29T14:56:45.457Z\n\ud83d\udd17 References:\n1. https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037\n2. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-035.txt", "creation_timestamp": "2025-04-29T15:11:42.000000Z"}, {"uuid": "22a73f30-1850-40d4-97a0-61c28580e475", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44005", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14038", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-44005\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: An issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other persons' e-mail addresses to newsletters without their consent.\n\ud83d\udccf Published: 2022-11-16T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-30T14:00:49.152Z\n\ud83d\udd17 References:\n1. https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037\n2. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-026.txt", "creation_timestamp": "2025-04-30T14:13:04.000000Z"}, {"uuid": "1e4055e7-dee1-4772-9046-a321286b44d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44004", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14037", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-44004\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: An issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.\n\ud83d\udccf Published: 2022-11-16T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-30T14:02:19.648Z\n\ud83d\udd17 References:\n1. https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037\n2. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-030.txt", "creation_timestamp": "2025-04-30T14:13:03.000000Z"}, {"uuid": "cc7da92b-aef2-4473-8718-54b1323eab33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44003", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14036", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-44003\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: An issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.\n\ud83d\udccf Published: 2022-11-16T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-30T14:03:40.514Z\n\ud83d\udd17 References:\n1. https://www.syss.de/pentest-blog/vielfaeltige-schwachstellen-in-backclick-professional-syss-2022-026-bis-037\n2. https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-029.txt", "creation_timestamp": "2025-04-30T14:13:02.000000Z"}, {"uuid": "46e6e64c-6a86-45df-b150-77793cb656ae", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44009", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/13227", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2022-44009\n\ud83d\udd25 CVSS Score: N/A\n\ud83d\udd39 Description: Improper access control in Key-Value RBAC in StackStorm version 3.7.0 didn't check the permissions in Jinja filters, allowing attackers to access K/V pairs of other users, potentially leading to the exposure of sensitive Information.\n\ud83d\udccf Published: 2022-12-05T00:00:00.000Z\n\ud83d\udccf Modified: 2025-04-24T13:56:33.601Z\n\ud83d\udd17 References:\n1. https://stackstorm.com/2022/12/v3-8-0-released/", "creation_timestamp": "2025-04-24T14:05:43.000000Z"}, {"uuid": "fa43a93e-1c4e-412d-af46-966f22476d75", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44006", "type": "seen", "source": "https://t.me/cibsecurity/53049", "content": "\u203c CVE-2022-44006 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g., by uploading an executable file.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T15:58:42.000000Z"}, {"uuid": "29d9e83d-0cf3-4f82-9bcb-57b89127cbe0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-4400", "type": "seen", "source": "https://t.me/cibsecurity/54259", "content": "\u203c CVE-2022-4400 \u203c\n\nA vulnerability was found in zbl1996 FS-Blog and classified as problematic. This issue affects some unknown processing of the component Title Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-215267.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-12-11T12:19:54.000000Z"}, {"uuid": "dfa799d8-39dc-4bc7-b140-8038868a0b38", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44000", "type": "seen", "source": "https://t.me/cibsecurity/53048", "content": "\u203c CVE-2022-44000 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to an exposed internal communications interface, it is possible to execute arbitrary system commands on the server.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T15:58:41.000000Z"}, {"uuid": "7dc28158-2821-4963-a40d-71cd6f63210f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44002", "type": "seen", "source": "https://t.me/cibsecurity/53046", "content": "\u203c CVE-2022-44002 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient output encoding of user-supplied data, the web application is vulnerable to cross-site scripting (XSS) at various locations.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T15:53:04.000000Z"}, {"uuid": "820152df-a8da-4acc-a9f3-884efaca6951", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44007", "type": "seen", "source": "https://t.me/cibsecurity/53045", "content": "\u203c CVE-2022-44007 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to an unsafe implementation of session tracking, it is possible for an attacker to trick users into opening an authenticated user session for a session identifier known to the attacker, aka Session Fixation.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T15:53:04.000000Z"}, {"uuid": "49b0e91c-f1d4-45b9-8b04-2a87f4de981e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44004", "type": "seen", "source": "https://t.me/cibsecurity/53042", "content": "\u203c CVE-2022-44004 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to insecure design or lack of authentication, unauthenticated attackers can complete the password-reset process for any account and set a new password.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T15:53:01.000000Z"}, {"uuid": "13ea6e1b-7e00-4473-881a-9a047bada057", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44001", "type": "seen", "source": "https://t.me/cibsecurity/53107", "content": "\u203c CVE-2022-44001 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. User authentication for accessing the CORBA back-end services can be bypassed.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-18T00:17:57.000000Z"}, {"uuid": "416db537-6e64-4c4f-ad6d-70c7e6d05732", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44003", "type": "seen", "source": "https://t.me/cibsecurity/53055", "content": "\u203c CVE-2022-44003 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to insufficient escaping of user-supplied input, the application is vulnerable to SQL injection at various locations.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T16:01:53.000000Z"}, {"uuid": "80925d99-a228-4859-84cd-3cb42d815d51", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44008", "type": "seen", "source": "https://t.me/cibsecurity/53052", "content": "\u203c CVE-2022-44008 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation, arbitrary local files can be retrieved by accessing the back-end Tomcat server directly.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T15:58:48.000000Z"}, {"uuid": "04a8c1b9-745e-4a4f-99fd-cad16de41575", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-44005", "type": "seen", "source": "https://t.me/cibsecurity/53056", "content": "\u203c CVE-2022-44005 \u203c\n\nAn issue was discovered in BACKCLICK Professional 5.9.63. Due to the use of consecutive IDs in verification links, the newsletter sign-up functionality is vulnerable to the enumeration of subscribers' e-mail addresses. Furthermore, it is possible to subscribe and verify other persons' e-mail addresses to newsletters without their consent.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2022-11-17T16:01:54.000000Z"}]}