Security
Headlines
HeadlinesLatestCVEs

Tag

#auth

GHSA-xfqf-5rhg-5c73: ConcreteCMS Cross-Site Scripting (XSS) via HTML Block Text Field

A vulnerability was found in ConcreteCMS up to 9.3.9. It has been classified as problematic. This affects the function Save of the component HTML Block Handler. The manipulation of the argument content leads to HTML injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

ghsa
Open in Source
#xss#vulnerability#web#auth
How Each Pillar of the 1st Amendment is Under Attack

In an address to Congress this month, President Trump claimed he had "brought free speech back to America." But barely two months into his second term, the president has waged an unprecedented attack on the First Amendment rights of journalists, students, universities, government workers, lawyers and judges. This story explores a slew of recent actions by the Trump administration that threaten to undermine all five pillars of the First Amendment to the U.S. Constitution, which guarantees freedoms concerning speech, religion, the media, the right to assembly, and the right to petition the government and seek redress for wrongs.

GHSA-2m4q-2c6r-hmc3: Solon Vulnerable to Path Traversal

A vulnerability classified as problematic was found in opensolon up to 3.1.0. This vulnerability affects the function render_mav of the file /aa of the component org.noear.solon.core.handle.RenderManager. The manipulation of the argument template with the input ../org/example/HelloApp.class leads to path traversal: '../filedir'. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Top Trump Officials’ Passwords and Personal Phone Numbers Discovered Online

Plus: Alleged Snowflake hacker will be extradited to US, internet restrictions create an information vacuum in Myanmar, and London gets its first permanent face recognition cameras.

GHSA-p736-g6pg-hjhw: ShopXO Vulnerable to Server-Side Request Forgery (SSRF) via Image Upload

ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) via image upload function.

GHSA-gfhv-5rqh-7qx3: ShopXO Vulnerable to Server-Side Request Forgery (SSRF) via Email Settings

ShopXO v6.4.0 is vulnerable to Server-Side Request Forgery (SSRF) in Email Settings.

GHSA-9rhg-254w-fh9x: Redoc Prototype Pollution via `Module.mergeObjects` Component

A prototype pollution in the component Module.mergeObjects (redoc/bundles/redoc.lib.js:2) of redoc <= 2.2.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

GHSA-jf6p-4hgv-v6qh: Duplicate Advisory: Leantime affected by Improper Neutralization of HTML Tags

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-95j3-435g-vjcp. This link is maintained to preserve external references. ### Original Description Cross Site Scripting vulnerability in Leantime v3.2.1 and before allows an authenticated attacker to execute arbitrary code and obtain sensitive information via the first name field in processMentions().