Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-f7rp-xx67-4pj9: Phachon mm-wiki vulnerable to stored cross-site scripting (XSS)

Phachon mm-wiki v.0.1.2 vulnerable to stored cross-site scripting (XSS). This could allow a remote attacker to execute arbitrary code via JavaScript code in the markdown editor. Any user browsing the document containing XSS malicious code will trigger the vulnerability.

ghsa
Open in Source
#xss#vulnerability#git#java
GHSA-f6xp-59jq-r35c: Phachon mm-wiki Cross Site Request Forgery vulnerability

Cross Site Request Forgery vulnerability found in Phachon mm-wiki v.0.1.2 allows a remote attacker to execute arbitrary code via the system/user/save parameter.

GHSA-3gvp-54v2-2jrp: Directus API vulnerable to denial of service

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.

GHSA-w974-rq9x-mh3v: Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the `<iframe> src` parameter.

GHSA-hx8p-9m48-g76r: Ming-Soft MCMS vulnerable to SQL injection

SQL Injection vulnerability found in Ming-Soft MCMS v.4.7.2 allows a remote attacker to execute arbitrary code via `basic_title` parameter. This issue is resolved in v5.1.

GHSA-5p84-mmh9-pxgr: Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the `editor` parameter.

GHSA-4f25-2x2c-vg6v: pimcore is vulnerable to cross-site scripting in Composite indices key field

### Impact Pimcore is vulnerable to Cross site scripting vulnerability in classes module. ### Patches Update to version 10.5.20. ### Workarounds Apply the patch https://github.com/pimcore/pimcore/commit/765832f0dc5f6cfb296a82e089b701066f27bcef.patch manually.

GHSA-2qv5-7mw5-j3cg: spin-rs initialisation failure in `Once::try_call_once` can lead to undefined behaviour for other initialisers

`Once::try_call_once` is unsound if invoked more than once concurrently and any call fails to initialise successfully.

GHSA-38h6-gmr2-j4wx: Silverstripe Form Capture vulnerable to stored cross-site-scripting

### Impact Improper escaping when presenting stored form submissions allowed for an attacker to perform a Cross-Site Scripting attack ### Patches The vulnerability was initially patched in version 1.0.2, and version 1.1.0 includes this patch. The bug was then accidentally re-introduced during a merge error, and has been re-patched in versions 2.2.5 and 3.1.1.

GHSA-33pv-vcgh-jfg9: Wagtail vulnerable to denial-of-service via memory exhaustion when uploading large files

### Impact A memory exhaustion bug exists in Wagtail's handling of uploaded images and documents. For both images and documents, files are loaded into memory during upload for additional processing. A user with access to upload images or documents through the Wagtail admin interface could upload a file so large that it results in a crash or denial of service. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. It can only be exploited by admin users with permission to upload images or documents. Image uploads are [restricted to 10MB by default](https://docs.wagtail.org/en/stable/reference/settings.html#wagtailimages-max-upload-size), however this validation only happens on the frontend and on the backend after the vulnerable code. ### Patches Patched versions have been released as Wagtail 4.1.4 (for the LTS 4.1 branch) and Wagtail 4.2.2 (for the current 4.2 branch). ### Workarounds Site owners who are unable to upgrade to the ne...