Security
Headlines
HeadlinesLatestCVEs

Tag

#web

Event Ticketing System 1.0 Cross Site Scripting

Event Ticketing System version 1.0 suffers from a cross site scripting vulnerability.

Packet Storm
Open in Source
#xss#vulnerability#web#mac#windows#apple#google#git#php#rce#auth#chrome#webkit
CVE-2023-41318: Unsafe media served inline on download endpoints

matrix-media-repo is a highly customizable multi-domain media repository for the Matrix chat ecosystem. In affected versions an attacker could upload a malicious piece of media to the media repo, which would then be served with `Content-Disposition: inline` upon download. This vulnerability could be leveraged to execute scripts embedded in SVG content. Commits `77ec235` and `bf8abdd` fix the issue and are included in the 1.3.0 release. Operators should upgrade to v1.3.0 as soon as possible. Operators unable to upgrade should override the `Content-Disposition` header returned by matrix-media-repo as a workaround.

CVE-2023-32332: Security Bulletin: IBM Maximo Manage application in IBM Maximo Application Suite is vulnerable to HTML Injection (CVE-2023-32332)

IBM Maximo Application Suite 8.9, 8.10 and IBM Maximo Asset Management 7.6.1.2, 7.6.1.3 are vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site. IBM X-Force ID: 255072.

CVE-2023-41578: Jeecg-boot <=3.5.3 Arbitrary File Read · Issue #1 · Snakinya/Bugs

Jeecg boot up to v3.5.3 was discovered to contain an arbitrary file read vulnerability via the interface /testConnection.

CVE-2023-41338: Vulnerability in Ctx.IsFromLocal()

Fiber is an Express inspired web framework built in the go language. Versions of gofiber prior to 2.49.2 did not properly restrict access to localhost. This issue impacts users of our project who rely on the `ctx.IsFromLocal` method to restrict access to localhost requests. If exploited, it could allow unauthorized access to resources intended only for localhost. Setting `X-Forwarded-For: 127.0.0.1` in a request from a foreign host, will result in true for `ctx.IsFromLocal`. Access is limited to the scope of the affected process. This issue has been patched in version `2.49.2` with commit `b8c9ede6`. Users are advised to upgrade. There are no known workarounds to remediate this vulnerability without upgrading to the patched version.

CVE-2023-41575: Stored-xss/poc at main · soundarkutty/Stored-xss

Multiple stored cross-site scripting (XSS) vulnerabilities in /bbdms/sign-up.php of Blood Bank & Donor Management v2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Full Name, Message, or Address parameters.

SyncBreeze 15.2.24 Denial Of Service

SyncBreeze version 15.2.24 suffers from a denial of service vulnerability.

Drupal 10.1.2 Web Cache Poisoning

Drupal version 10.1.2 appears to suffer from web cache poisoning due to a server-side request forgery vulnerability.

Soosyze 2.0.0 Arbitrary File Upload

Soosyze version 2.0.0 suffers from an arbitrary file upload vulnerability.

Axigen 10.5.0–4370c946 Cross Site Scripting

Axigen versions 10.5.0–4370c946 and below suffer from a cross site scripting vulnerability.