Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-3mmh-vq9w-4c3g: Microweber vulnerable to Reflected Cross-site Scripting

Microweber versions 1.3.1 and prior are vulnerable to Reflected Cross-site Scripting (XSS). A patch is available on the 1.4, dev, and laravel-sail branches.

ghsa
Open in Source
#xss#web#git
CVE-2022-4617: huntr – Security Bounties for any GitHub repository

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.3.2.

GHSA-9p8j-hrgf-jc2g: Apache Zeppelin Cross-site Scripting vulnerability

An Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users' browsers. This issue affects Apache Zeppelin before 0.8.2. Users are recommended to upgrade to a supported version of Zeppelin.

CVE-2022-38391: Security Bulletin: IBM Spectrum Control is vulnerable to multiple weaknesses related IBM WebSphere Application Server Liberty and FasterXML jackson-databind

IBM Spectrum Control 5.4 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 233982.

CVE-2022-46771: IBM UrbanCode Deploy (UCD) cross-site scripting CVE-2022-46771 Vulnerability Report

IBM UrbanCode Deploy (UCD) 6.2.0.0 through 6.2.7.18, 7.0.5.0 through 7.0.5.13, 7.1.0.0 through 7.1.2.9, 7.2.0.0 through 7.2.3.2 and 7.3.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 242273.

CVE-2022-4619: Sidebar Widgets by CodeLights

The Sidebar Widgets by CodeLights plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Extra CSS class’ parameter in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Senayan Library Management System 9.2.1 Cross Site Scripting

Senayan Library Management System version 9.2.1 suffers from a cross site scripting vulnerability.

Akamai wrestles with AWS S3 web cache poisoning bug

Definitive solution is ‘non-trivial’ since behavior arises from customers processing non-RFC compliant requests

CVE-2022-23543: Own HTML attributes when attaching a YouTube link to the post

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.

CVE-2022-43887: Security Bulletin: IBM Cognos Analytics has addressed multiple vulnerabilities (CVE-2021-29469, CVE-2022-39160, CVE-2022-38708, CVE-2022-42003, CVE-2022-42004, CVE-2022-43883, CVE-2022-43887, CVE-2022

IBM Cognos Analytics 11.1.7, 11.2.0, and 11.2.1 could be vulnerable to sensitive information exposure by passing API keys to log files. If these keys contain sensitive information, it could lead to further attacks. IBM X-Force ID: 240450.