Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-4wfc-ghv5-2v7j: phpMyFAQ Stored Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

ghsa
Open in Source
#xss#vulnerability#git#php
GHSA-7q9c-f2v8-j8gw: phpMyFAQ Stored Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

GHSA-hp8m-g55r-9cfq: phpMyFAQ Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE-2023-1759: fix: corrected sanitazing the string · thorsten/phpMyFAQ@ecbd810

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE-2023-1760: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@56295b5

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE-2023-1755: huntr – Security Bounties for any GitHub repository

Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE-2023-1746

A vulnerability, which was classified as problematic, was found in Dreamer CMS up to 3.5.0. Affected is an unknown function of the component File Upload Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-224634 is the identifier assigned to this vulnerability.

CVE-2023-1743

A vulnerability classified as problematic has been found in SourceCodester Grade Point Average GPA Calculator 1.0. This affects an unknown part of the file index.php. The manipulation of the argument page leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224631.

GHSA-2wcr-87wf-cf9j: Kiwi TCMS Stored Cross-site Scripting via SVG file

### Impact Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. ### Patches This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. ### Workarounds Configure Content-Security-Policy header, see [commit 6617cee0](https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077). ### References You can visit https://digi.ninja/blog/svg_xss.php for more technical details. Independently disclosed by [Antonio Spataro](https://huntr.dev/bounties/bf99001b-a0a2-4f7d-98cd-983bc7f14a69/) and [@1d8](https://huntr.dev/bounties/f8c73bcc-02f3-4c65-a92b-1caa4d67c2fd/).

CVE-2023-26692: GitHub - bigzooooz/CVE-2023-26692: ZCBS/ZBBS/ZPBS v4.14k - Reflected XSS

ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).