Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-474f-mcjv-pgrm: Stored cross site scripting

Concrete CMS (previously concrete5) before 9.1 is vulnerable to Stored XSS in uploaded file and folder names.

ghsa
Open in Source
#xss#git
GHSA-2ggc-552c-rmqr: Stored cross site scripting on tags

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Tags on uploaded files.

GHSA-f55r-8rcv-mqcf: Missing secure cookie parameters

Concrete CMS (previously concrete5) before 9.2 does not have Secure and HTTP only attributes set for ccmPoll cookies.

GHSA-vcpr-hm2m-gjjj: Reflected cross site scripting

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Reflected XSS on the Reply form because msgID was not sanitized.

GHSA-9h33-5fxw-r2xv: Stored cross site scripting via container name

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS via a container name.

GHSA-2j26-j953-2rph: Stored cross site scripting on saved presets

Concrete CMS (previously concrete5) before 9.2 is vulnerable to Stored XSS on Saved Presets on search.

GHSA-pj76-75cm-3552: Authenication bypass

Concrete CMS (previously concrete5) before 9.2 is vulnerable to possible Auth bypass in the jobs section.

GHSA-x422-6qhv-p29g: Relative path traversal in mlflow

Relative Path Traversal in GitHub repository mlflow/mlflow prior to 2.3.1.

GHSA-6vrj-ph27-qfp3: Remote code injection in wwbn/avideo

# WWBN Avideo Authenticated RCE - OS Command Injection ## Description An OS Command Injection vulnerability in an Authenticated endpoint `/plugin/CloneSite/cloneClient.json.php` allows attackers to achieve Remote Code Execution. Vulnerable code: ```php $cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}"; $log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file"); exec($cmd . " 2>&1", $output, $return_val); ``` We can control `$objClone->cloneSiteURL` through the admin panel clone site feature. `/plugin/CloneSite/cloneClient.json.php` sends a GET Request to `{$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php`. I hosted a specially crafted `cloneServer.json.php` that prints the following JSON data ```JSON {"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263...

GHSA-jgvc-jfgh-rjvv: Chosen Ciphertext Attack in Jose4j

### Summary RSA1_5 in jose4j is susceptible to chosen ciphertext attacks. The attack allows to decrypt RSA1_5 or RSA_OAEP encrypted ciphertexts. It may be feasible to sign with affected keys. ### Severity Moderate - exploiting this ciphertext attack could result in the ability to decrypt RSA1_5 or RSA_OAEP encrypted ciphertexts. ### Proof of Concept A test case that can reproduce the padding oracle uses the following private key: ``` { "kty": "RSA", "alg": "RSA1_5", "use": "enc", "n": "w2A4cbwOAK4ATnwXkGWereqv9dkEcgAGHc9g-cjo1HFeilYirvfD2Un2vQxW_6g2OKRPmmo46vMZFMYv_V57174j411y-NQlZGb7iFqMQADzo60VZ7vpvAX_NuxNGxYR-N2cBgvgqDiGAoO9ouNdhuHhxipTjGVfrPUpxmJtNPZpxsgxQWSpYCYMl304DD_5wWrnumNNIKOaVsAYmjFPV_wqxFCHbitPd1BG9SwXPk7wAHtXT6rYaUImS_OKaHkTO1OO0PNhd3-wJRNMCh_EGUwAghfWgFyAd20pQLZamamxgHvfL4-0hwuzndhHt0ye-gRVTtXDFEwABB--zwvlCw", "e": "AQAB", "kid": "rsa1_5", "d": "EjMvbuDeyQ9sdeM3arscqgTXuWYq9Netui8sUHh3v_qDnQ1jE7t-4gny0y-IFy67RlGAH...