Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-4434: huntr – Security Bounties for any GitHub repository

Missing Authorization in GitHub repository hamza417/inure prior to build88.

CVE
#git#auth
CVE-2023-40711: CHANGELOG.md · main · Veilid / veilid · GitLab

Veilid before 0.1.9 does not check the size of uncompressed data during decompression upon an envelope receipt, which allows remote attackers to cause a denial of service (out-of-memory abort) via crafted packet data, as exploited in the wild in August 2023.

CVE-2023-2317: Typora 1.6

DOM-based XSS in updater/update.html in Typora before 1.6.7 on Windows and Linux allows a crafted markdown file to run arbitrary JavaScript code in the context of Typora main window via loading typora://app/typemark/updater/update.html in <embed> tag. This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

CVE-2023-2316: (CVE-2023-2316) Typora Local File Disclosure

Improper path handling in Typora before 1.6.7 on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

CVE-2023-2971: (CVE-2023-2971) Typora Local File Disclosure (Patch Bypass)

Improper path handling in Typora before 1.7.0-dev on Windows and Linux allows a crafted webpage to access local files and exfiltrate them to remote web servers via "typora://app/typemark/". This vulnerability can be exploited if a user opens a malicious markdown file in Typora, or copies text from a malicious webpage and paste it into Typora.

CVE-2023-2110: (CVE-2023-2110) Obsidian Local File Disclosure

Improper path handling in Obsidian desktop before 1.2.8 on Windows, Linux and macOS allows a crafted webpage to access local files and exfiltrate them to remote web servers via "app://local/<absolute-path>". This vulnerability can be exploited if a user opens a malicious markdown file in Obsidian, or copies text from a malicious webpage and paste it into Obsidian.

CVE-2023-2318: Security Issue: DOM-Based XSS leading to RCE · Issue #3618 · marktext/marktext

DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

CVE-2023-4432: Fix possible Cross-site Scripting (XSS) in Rest/GraphQL viewer · Cockpit-HQ/Cockpit@2a93d39

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4433

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-38839: [VULN] Unauthenticated SQLi in ID parameter of fulldelete.php · Issue #2 · kiduswb/minimati

SQL injection vulnerability in Kidus Minimati v.1.0.0 allows a remote attacker to obtain sensitive information via theID parameter in the fulldelete.php component.