Security
Headlines
HeadlinesLatestCVEs

Tag

#perl

GHSA-8j9v-4hhh-x43c: Cross-Site Scripting (XSS) in TYPO3 component CSS styled content

Failing to properly encode user input, the CSS styled content component is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

ghsa
Open in Source
#xss#git#java#perl#auth
GHSA-3jxq-5xhh-9jr3: Cross-Site Scripting (XSS) in TYPO3 component Backend

Failing to properly encode incoming data, the bookmark toolbar is susceptible to Cross-Site Scripting.

Inside the Biggest FBI Sting Operation in History

When a drug kingpin named Microsoft tried to seize control of an encrypted phone company for criminals, he was playing right into its real owners’ hands.

GHSA-6fc6-cj2j-h22x: TYPO3 Multiple Cross-Site Scripting vulnerabilities in frontend

Failing to properly encode editor input, several frontend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

Popular WordPress Plugins Leave Millions Open to Backdoor Attacks

Fastly researchers discover unauthenticated stored XSS attacks plaguing WordPress Plugins including WP Meta SEO, and the popular WP…

GHSA-9895-53fc-98v2: TYPO3 SQL Injection in dbal

A flaw in the database escaping API results in a SQL injection vulnerability when extension dbal is enabled and configured for MySQL passthrough mode in its extension configuration. All queries which use the DatabaseConnection::sql_query are vulnerable, even if arguments were properly escaped with DatabaseConnection::quoteStr beforehand.

GHSA-wh8q-72cp-p5wf: Cross-Site Scripting in TYPO3 component Indexed Search

Failing to properly encode editor input, the search result view of indexed_search is susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML.

GHSA-5cxf-xx9j-54jc: Multiple Cross-Site Scripting vulnerabilities in TYPO3 backend

Failing to properly encode user input, several backend components are susceptible to Cross-Site Scripting, allowing authenticated editors to inject arbitrary HTML or JavaScript.

GHSA-2p57-rm9w-gvfp: ip SSRF improper categorization in isPublic

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

GHSA-xxfm-vmcf-g33f: Improper Handling of Insufficient Permissions in `wagtail.contrib.settings`

### Impact Due to an improperly applied permission check in the `wagtail.contrib.settings` module, a user with access to the Wagtail admin and knowledge of the URL of the edit view for a settings model can access and update that setting, even when they have not been granted permission over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. ### Patches Patched versions have been released as Wagtail 6.0.5 and 6.1.2. Wagtail releases prior to 6.0 are unaffected. ### Workarounds No workaround is available. ### Acknowledgements Many thanks to Victor Miti for reporting this issue. ### For more information If you have any questions or comments about this advisory: * Visit Wagtail's [support channels](https://docs.wagtail.io/en/stable/support.html) * Email us at [security@wagtail.org](mailto:security@wagtail.org) (view our [security policy](https://github.com/wagtail/wagtail/security/policy) for more information).