Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-3w85-5p9g-h334: Apache ActiveMQ Artemis User Without Create Address Permissions can Modify Address Routing-Type

A vulnerability exists in Apache ActiveMQ Artemis whereby a user with the createDurableQueue or createNonDurableQueue permission on an address can augment the routing-type supported by that address even if said user doesn't have the createAddress permission for that particular address. When combined with the send permission and automatic queue creation a user could successfully send a message with a routing-type not supported by the address when that message should actually be rejected on the basis that the user doesn't have permission to change the routing-type of the address. This issue affects Apache ActiveMQ Artemis from 2.0.0 through 2.39.0. Users are recommended to upgrade to version 2.40.0 which fixes the issue.

ghsa
#vulnerability#web#apache#auth
GHSA-39g6-x4x8-5jcm: Drupal Core Potential Cross-Site Scripting (XSS) via Error Messages

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Drupal core allows Cross-Site Scripting (XSS).This issue affects Drupal core: from 8.0.0 before 10.3.13, from 10.4.0 before 10.4.3, from 11.0.0 before 11.0.12, from 11.1.0 before 11.1.3.

GHSA-86h4-w859-3hhv: Drupal RapiDoc OAS Field Formatter Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal RapiDoc OAS Field Formatter allows Cross-Site Scripting (XSS). This issue affects RapiDoc OAS Field Formatter: from 0.0.0 before 1.0.1.

GHSA-hf6c-fgp3-jfch: Drupal Two-factor Authentication (TFA) Vulnerable to Forceful Browsing

Incorrect Authorization vulnerability in Drupal Two-factor Authentication (TFA) allows Forceful Browsing. This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.10.0.

GHSA-pwjq-fx3v-8f9r: Drupal AI Vulnerable to OS Command Injection via Optional Automator Types

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Drupal AI (Artificial Intelligence) allows OS Command Injection. This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.5.

GHSA-p2wg-8h29-874v: Drupal Link field display mode formatter Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Link field display mode formatter allows Cross-Site Scripting (XSS). This issue affects Link field display mode formatter: from 0.0.0 before 1.6.0.

GHSA-4f8q-mwgc-3mwc: Drupal OAuth2 Server Missing Authorization vulnerability

Missing Authorization vulnerability in Drupal OAuth2 Server allows Forceful Browsing. This issue affects OAuth2 Server: from 0.0.0 before 2.1.0.

GHSA-5r66-vgc7-2mm3: Drupal Formatter Suite Vulnerable to Cross-Site Scripting (XSS) via Link Element Attributes

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Formatter Suite allows Cross-Site Scripting (XSS).This issue affects Formatter Suite: from 0.0.0 before 2.1.0.

GHSA-36vv-q5jv-94cj: Drupal Google Tag Cross-Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Google Tag allows Cross-Site Scripting (XSS). This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.

GHSA-qchr-8m24-7v66: Drupal Google Tag Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Google Tag allows Cross Site Request Forgery. This issue affects Google Tag: from 0.0.0 before 1.8.0, from 2.0.0 before 2.0.8.