Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-7v7g-9vx6-vcg2: Goobi viewer Core Reflected Cross-Site Scripting Vulnerability Using LOGID Parameter

### Impact A reflected cross-site scripting vulnerability has been identified in Goobi viewer core when evaluating the LOGID parameter. An attacker could trick a user into following a specially crafted link to a Goobi viewer installation, resulting in the execution of malicious script code in the user's browser. ### Patches The vulnerability has been fixed in version 23.03 ### Credits We would like to thank [RUS-CERT](https://cert.uni-stuttgart.de/) for reporting this issues. If you have any questions or comments about this advisory: * Email us at [support@intranda.com](mailto:support@intranda.com)

ghsa
Open in Source
#xss#vulnerability#git#java#maven
GHSA-622w-995c-3c3h: Goobi viewer Core has Cross-Site Scripting Vulnerability in User Comments

### Impact A cross-site scripting vulnerability has been identified in the user comment feature of Goobi viewer core. An attacker could create a specially crafted comment, resulting in the execution of malicious script code in the user's browser when displaying the comment. ### Patches The vulnerability has been fixed in version 23.03 If you have any questions or comments about this advisory: * Email us at [support@intranda.com](mailto:support@intranda.com)

GHSA-2r9r-8fcg-m38g: Goobi viewer Core has Cross-Site Scripting Vulnerability in User Nicknames

### Impact A cross-site scripting vulnerability has been identified in Goobi viewer core when using nicknames. An attacker could create a user account and enter malicious scripts into their profile's nickname, resulting in the execution in the user's browser when displaying the nickname on certain pages. ### Patches The vulnerability has been fixed in version 23.03 If you have any questions or comments about this advisory: * Email us at [support@intranda.com](mailto:support@intranda.com)

GHSA-ffj9-4crc-q7wf: Apache Airflow Spark Provider vulnerable to improper input validation

Apache Software Foundation Apache Airflow Spark Provider before 4.0.1 is vulnerable to improper input validation because the host and schema of JDBC Hook can contain `/` and `?` which is used to denote the end of the field.

GHSA-85pf-r4c7-3j9r: Apache Airflow Drill Provider vulnerable to improper input validation

Apache Software Foundation's Apache Airflow Drill Provider before 2.3.2 is vulnerable to improper input validation because the host passed in drill connection is not sanitized.

GHSA-5cvg-9pp5-mxcj: Apache Airflow Hive Provider vulnerable to code injection

Apache Software Foundation's Apache Airflow Hive Provider before 6.0.0 is vulnerable to improper control of generation of code.

GHSA-776f-qx25-q3cc: xml2js is vulnerable to prototype pollution

xml2js version 0.4.23 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.

GHSA-f8r8-h93m-mj77: HashiCorp Nomad vulnerable to unauthenticated client agent HTTP request privilege escalation

HashiCorp Nomad and Nomad Enterprise versions 1.5.0 up to 1.5.2 allow unauthenticated users to bypass intended ACL authorizations for clusters where mTLS is not enabled. This issue is fixed in version 1.5.3.

GHSA-jvjx-qqh7-6x6c: thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via FAQ News link parameter

thorsten/phpmyfaq prior to 3.1.12 is vulnerable to stored cross-site scripting (XSS) because it fails to sanitize user input in the FAQ News link parameter. This has been fixed in 3.1.12.

GHSA-gx43-fqrx-6fcw: thorsten/phpmyfaq vulnerable to business logic errors

thorsten/phpmyfaq prior to 3.1.12 allows users with edit-only permissions to add and delete categories and add FAQs. This has been fixed in 3.1.12.