Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-h3qr-39j9-4r5v: Data written to GitHub Actions Cache may expose secrets

### Impact This vulnerability impacts GitHub workflows using the [Gradle Build Action](https://github.com/marketplace/actions/gradle-build-action) that have executed the Gradle Build Tool with the [configuration cache](https://docs.gradle.org/current/userguide/configuration_cache.html) enabled, potentially exposing secrets configured for the repository. Secrets configured for GitHub Actions are normally passed to the Gradle Build Tool via environment variables. Due to the way that the Gradle Build Tool records these environment variables, they may be persisted into an entry in the GitHub Actions cache. This data stored in the GitHub Actions cache can be read by a GitHub Actions workflow running in an untrusted context, such as that running for a Pull Request submitted by a developer via a repository fork. This vulnerability was discovered internally through code review, and we have not seen any evidence of it being exploited in the wild. However, in addition to upgrading the Gradle ...

ghsa
Open in Source
#vulnerability#git#java#gradle
GHSA-8595-6653-96p2: phpMyFAQ vulnerable to Stored Cross-site Scripting

phpMyFAQ prior to 3.1.13 has a stored cross site scripting vulnerability in `name` field in add question module. This allows an attacker to steal user cookies.

GHSA-gh24-c683-79r2: Arbitrary code execution in jfinal CMS

Command execution vulnerability in the ActionEnter Class ins jfinal CMS version 5.1.0 allows attackers to execute arbitrary code via a created json file to the ueditor route.

GHSA-xfmj-r86m-j2hr: Stored cross site scripting on API integration

Concrete CMS (previously concrete5) before 9.2 is vulnerable to stored XSS on API Integrations via the name parameter.

GHSA-474f-mcjv-pgrm: Stored cross site scripting

Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names.

GHSA-fgxj-g7x3-85cq: Stored cross site scripting in RSS displayer

Concrete CMS (previously concrete5) before 9.1 is vulnerable to stored XSS in RSS Displayer via the href attribute because the link element input was not sanitized.

GHSA-ph6g-6v8w-8p6m: Missing rate limit for password resets

Concrete CMS (previously concrete5) before 9.1 did not have a rate limit for password resets.

GHSA-vcpr-hm2m-gjjj: Reflected cross site scripting

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

GHSA-9h33-5fxw-r2xv: Stored cross site scripting via container name

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.

GHSA-2j26-j953-2rph: Stored cross site scripting on saved presets

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Saved Presets on search.