Security
Headlines
HeadlinesLatestCVEs

Tag

#js

GHSA-4qrm-9h4r-v2fx: Tina search token leak via lock file in TinaCMS

### Impact Tina search token leaked via lock file (tina-lock.json) in TinaCMS. Sites building with @tinacms/cli < 1.6.2 that use a search token are impacted. If your Tina-enabled website has search setup, you should rotate that key immediately. ### Patches This issue has been patched in @tinacms/cli@1.6.2 ### Workarounds Upgrading, and rotating search token is required for the proper fix. ### References https://github.com/tinacms/tinacms/pull/4758

ghsa
Open in Source
#vulnerability#web#nodejs#js#git
GHSA-gprj-6m2f-j9hx: DOM clobbering could escalate to Cross-site Scripting (XSS)

Pagefind initializes its dynamic JavaScript and WebAssembly files relative to the location of the first script you load. This information is gathered by looking up the value of `document.currentScript.src`. It is possible to "clobber" this lookup with otherwise benign HTML on the page, for example: ```html <img name="currentScript" src="blob:https://xxx.xxx.xxx/ui.js"></img> ``` This will cause `document.currentScript.src` to resolve as an external domain, which will then be used by Pagefind to load dependencies. This exploit would only work in the case that an attacker could inject HTML to your live, hosted, website. In these cases, this would act as a way to escalate the privilege available to an attacker. This assumes they have the ability to add some elements to the page (for example, `img` tags with a `name` attribute), but not others, as adding a `script` to the page would itself be the XSS vector. Pagefind has tightened this resolution by ensuring the source is loaded from a...

Vivavis HIGH-LEIT 4 / 5 Privilege Escalation

Vivavis HIGH-LEIT versions 4 and 5 allow attackers to execute arbitrary code as local system on systems where the "HL-InstallService-hlxw" or "HL-InstallService-hlnt" Windows service is running. Authentication is necessary for successful exploitation. The execution of the exploit is trivial and might affect other systems if the applications folder is shared between multiple systems in which case the vulnerability can be used for lateral movement.

Red Hat Security Advisory 2024-6211-03

Red Hat Security Advisory 2024-6211-03 - Red Hat OpenShift Service Mesh Containers for 2.6.1. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-6210-03

Red Hat Security Advisory 2024-6210-03 - Red Hat OpenShift Service Mesh Containers for 2.5.4.

Red Hat Security Advisory 2024-6209-03

Red Hat Security Advisory 2024-6209-03 - Red Hat OpenShift Service Mesh Containers for 2.4.10.

Red Hat Security Advisory 2024-6195-03

Red Hat Security Advisory 2024-6195-03 - An update for skopeo is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-6189-03

Red Hat Security Advisory 2024-6189-03 - An update for buildah is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-6187-03

Red Hat Security Advisory 2024-6187-03 - An update for gvisor-tap-vsock is now available for Red Hat Enterprise Linux 9.

Red Hat Security Advisory 2024-6184-03

Red Hat Security Advisory 2024-6184-03 - An update for orc is now available for Red Hat Enterprise Linux 9. Issues addressed include a buffer overflow vulnerability.