Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-44w5-q257-8428: Exposure of password hashes in notrinos/notrinos-erp

The AP officers account is authorized to Backup and Restore the Database, Due to this he/she can download the backup and see the password hash of the System Administrator account, The weak hash (MD5) of the password can be easily cracked and get the admin password.

ghsa
Open in Source
#git#auth
GHSA-rjvc-mf7r-ch7r: Cross site scripting in yetiforce/yetiforce-crm

Cross-site Scripting (XSS) - Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.

GHSA-h9mh-mgpv-gqmv: Remote code execution in Apache Flume

Apache Flume versions 1.4.0 through 1.10.0 are vulnerable to a remote code execution (RCE) attack when a configuration uses a JMS Source with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI to allow only the use of the java protocol or no protocol.

GHSA-qwp3-5fw3-5wgv: Incorrect Access Control and Cross Site Scripting in Jellyfin

In Jellyfin before 10.8, the /users endpoint has incorrect access control for admin functionality. This lack of access control can be leveraged to performe a cross site scripting attack.

GHSA-7qq9-9g2w-56f9: Improper Privilege Management in com.xuxueli:xxl-job

XXL-JOB all versions as of 11 July 2022 are vulnerable to Insecure Permissions resulting in the ability to execute admin function with low Privilege account.

GHSA-4m2g-668v-jwjx: Cross site scripting in getkirby/starterkit

A stored cross-site scripting (XSS) vulnerability in Kirby's Starterkit v3.7.0.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Tags field.

GHSA-mv48-hcvh-8jj8: Vitejs Vite before v2.9.13 vulnerable to directory traversal via crafted URL to victim's service

Vitejs Vite before v2.9.13 was discovered to allow attackers to perform a directory traversal via a crafted URL to the victim's service.

GHSA-h28c-453m-h9xm: Path Traversal in Payara

Payara through 5.2022.2 allows directory traversal without authentication. This affects Payara Server, Payara Micro, and Payara Server Embedded.

GHSA-mj5w-w588-j6xg: Use of Hard-coded Credentials in AgileConfig.Client

Hardcoded JWT Secret in AgileConfig <1.6.8 Server allows remote attackers to use the generated JWT token to gain administrator access.

GHSA-8cwq-4cmf-px73: PocketMine-MP invalid skin geometry JSON data leading to server crash

### Impact `pocketmine\entity\Skin` doesn't correctly handle errors produced by `adhocore/json-comment`, which throws `RuntimeException` rather than returning `false` as PocketMine-MP expects. This leads to a server crash if the skin geometry data is invalid for some reason (e.g. a syntax error). ### Patches c9626c610b8f6810c8c987559c9197b2a291f0bb ### Workarounds A plugin could handle `LoginPacket` and `PlayerSkinPacket` to verify the skin geometry data can be parsed correctly, so that the error condition in the core code is never reached. ### For more information If you have any questions or comments about this advisory: * Email us at [security@pmmp.io](mailto:security@example.com)