Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-r947-2crg-xc39: ouqiang gocron Cross-site scripting vulnerability

Cross site scripting (XSS) vulnerability in ouqiang gocron through 1.5.3, allows attackers to execute arbitrary code via scope.row.hostname in web/vue/src/pages/taskLog/list.vue.

ghsa
Open in Source
#xss#vulnerability#web#git
GHSA-xv7r-9vq4-9wrq: Project Wonder WebObjects vulnerable to Arbitrary HTTP Header Injection and Cross-site Scripting

Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces. A patch for this issue is available at commit number b0d2d74f13203268ea254b02552600850f28014b.

GHSA-5m2h-7rf2-rpx6: UniSharp Laravel Filemanager directory traversal vulnerability

UniSharp laravel-filemanager (aka Laravel Filemanager) through 2.5.1 allows download?working_dir=%2F.. directory traversal to read arbitrary files, as exploited in the wild in June 2022.

GHSA-ch4c-278q-5654: rdiffweb 2.4.1 Missing Custom Error Page

rdiffweb version 2.4.1 is set to a default and leaks error information. Version 2.4.2 fixes this issue.

GHSA-mjw4-xvx6-3grg: rdiffweb 2.4.1 vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

rdiffweb version 2.4.1 is vulnerable to Sensitive Cookie in HTTPS Session Without 'Secure' Attribute. This makes it so that a user's cookies can be sent to the server with an unencrypted request over the HTTP protocol. Version 2.4.2 contains a fix for the issue.

GHSA-4wjj-jwc9-2x96: Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification

An incorrect handling of the supplementary groups in the Podman container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

GHSA-fmq7-gh8v-mjvc: WildFly vulnerable to Insecure Default Initialization of Resource

A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.

GHSA-fjm8-m7m6-2fjp: Buildah's incorrect handling of the supplementary groups before v1.27.1 may lead to data disclosure, modification

An incorrect handling of the supplementary groups in the Buildah container engine might lead to the sensitive information disclosure or possible data modification if an attacker has direct access to the affected container where supplementary groups are used to set access permissions and is able to execute a binary code in that container.

GHSA-mp5p-g2jv-r8qw: rdiffweb before 2.4.2 contains Weak Password Requirements

rdiffweb prior to 2.4.2 has no password policy or password checking, which could make users vulnerable to brute force password guessing attacks. Version 2.4.2 enforces minimum and maximum password lengths.

GHSA-wxx5-w9jc-48wx: Pebble Templates protection mechanism bypass can lead to arbitrary code execution

Pebble Templates 3.1.5 allows attackers to bypass a protection mechanism and implement arbitrary code execution with springbok.