Cross Site Request Forgery (CSRF) vulnerability in MultiTech Conduit AP MTCAP2-L4E1 MTCAP2-L4E1-868-042A v.6.0.0 allows a remote attacker to execute arbitrary code via a crafted script upload.

CVE-2023-25201: Security Advisories - usd HeroLab

A vulnerability, which was classified as problematic, was found in SimplePHPscripts NewsLetter Script PHP 2.4. Affected is an unknown function of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-233292.

CVE-2023-3540

A vulnerability, which was classified as problematic, has been found in SimplePHPscripts Simple Forum PHP 2.7. This issue affects some unknown processing of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The associated identifier of this vulnerability is VDB-233291.

CVE-2023-3539

A vulnerability classified as problematic was found in SimplePHPscripts Photo Gallery PHP 2.0. This vulnerability affects unknown code of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack can be initiated remotely. VDB-233290 is the identifier assigned to this vulnerability.

CVE-2023-3538

A vulnerability classified as problematic has been found in SimplePHPscripts News Script PHP Pro 2.4. This affects an unknown part of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The identifier VDB-233289 was assigned to this vulnerability.

CVE-2023-3537

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

*   How do I find out my Build number?
*   1 Log in to the **ADAudit Plus web console**, and click **License** in the top pane.
*   2 You will find the build number mentioned below the product version. This is the current build number of ADAudit Plus.
    

Vulnerability details

Severity

Medium

CVE ID

CVE-2023-37308

Affected software versions

Builds 7091 and below \[How to find your build number?\]

Fixed version

Build 7100

Fixed on

December 28, 2022

**Details**

CVE-2023-37308 refers to a XSS vulnerability in username field reported in ManageEngine ADAudit Plus that made it possible for users to inject malicious JavaScript into the username field of the product.

We have released ADAudit Plus build 7100, that fixes the issue by sanitizing the XSS payload.

**Impact**

The vulnerability in ADAudit Plus allows users to inject malicious JavaScript into the username section of certain reports within the product. When the reports are loaded, the injected script will be executed. This type of vulnerability poses a significant risk potentially leading to data exfiltration, system compromise, or other malicious activities.

**Steps to upgrade**

Upgrade your ADAudit Plus instance to the latest build 7100, using the service pack.

**Acknowledgements**

This issue was reported by Ryan through the Zoho BugBounty program.

If you have any questions or need assistance, please get in touch with support@adauditplus.com.

CVE-2023-37308: XSS vulnerability in the username field (CVE-2023-37308) fixed

A vulnerability was found in SimplePHPscripts FAQ Script PHP 2.3. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The associated identifier of this vulnerability is VDB-233287.

CVE-2023-3535

A vulnerability was found in SimplePHPscripts Funeral Script PHP 3.1. It has been rated as problematic. Affected by this issue is some unknown functionality of the file /preview.php of the component URL Parameter Handler. The manipulation leads to cross site scripting. The attack may be launched remotely. The identifier of this vulnerability is VDB-233288.

CVE-2023-3536

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.
Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances.
The most critical vulnerability, CVE-2023-36460,

Vulnerability / Social Media

Mastodon, a popular decentralized social network, has released a security update to fix critical vulnerabilities that could expose millions of users to potential attacks.

Mastodon is known for its federated model, consisting of thousands of separate servers called "instances," and it has over 14 million users across more than 20,000 instances.

The most critical vulnerability, CVE-2023-36460, allows hackers to exploit a flaw in the media attachments feature, creating and overwriting files in any location the software could access on an instance.

This software vulnerability could be used for DoS and arbitrary remote code execution attacks, posing a significant threat to users and the broader Internet ecosystem.

If an attacker gains control over multiple instances, they could cause harm by instructing users to download malicious applications or even bring down the entire Mastodon infrastructure. Fortunately, there is no evidence of this vulnerability being exploited so far.

The critical flaw was discovered as part of a comprehensive penetration testing initiative funded by the Mozilla Foundation and conducted by Cure53.

The recent patch release addressed five vulnerabilities, including another critical issue tracked as CVE-2023-36459. This vulnerability could allow attackers to inject arbitrary HTML into oEmbed preview cards, bypassing Mastodon's HTML sanitization process.

Consequently, this introduced a vector for Cross-Site Scripting (XSS) payloads that could execute malicious code when users clicked on preview cards associated with malicious links.

UPCOMING WEBINAR

🔐 Privileged Access Management: Learn How to Conquer Key Challenges

Discover different approaches to conquer Privileged Account Management (PAM) challenges and level up your privileged access security strategy.

Reserve Your Spot

The remaining three vulnerabilities were classified as high and medium severity. They included "Blind LDAP injection in login," which allowed attackers to extract arbitrary attributes from the LDAP database, "Denial of Service through slow HTTP responses," and a formatting issue with "Verified profile links." Each of these flaws posed different levels of risk to Mastodon users.

To protect themselves, Mastodon users only need to ensure that their subscribed instance has installed the necessary updates promptly.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Mastodon Social Network Patches Critical Flaws Allowing Server Takeover

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to 0.70.1.

Tag

#xss