Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-f36p-42jv-8rh2: Lithium vulnerable to Cross Site Scripting in provided Swagger-UI

### Impact A XSS vulnerability in the provided (outdated) Swagger-UI is exploitable in applications using lithium with Swagger-UI enabled. This allows an attacker gain Remote Code Execution (RCE) and potentially exfiltrate secrets in the context of this swagger session. ### Patches The used swagger-ui was updated by switching to the latest version of dropwizard-swagger in 8b9b406d608fe482ec0e7adf8705834bca92d7df ### Workarounds The risk of injected external content can be reduced by setting up a [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy). ### References * https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/ ### Credits We thank [Mohit Kumar](https://www.linkedin.com/in/mohit-kumar-4ab6b3bb) for reporting this vulnerability!

ghsa
Open in Source
#xss#vulnerability#web#java#rce#maven
GHSA-62g7-fpv9-v95f: Inventree vulnerable to Stored Cross-site Scripting

Inventree prior to 0.8.3 is vulnerable to stored cross-site scripting by uploading SVG files. Version 0.8.3 contains a patch for this issue.

GHSA-5mqq-7g25-r4wx: FeehiCMS vulnerable to Cross-Site scripting via crafted payload

FeehiCMS versions 2.0.1.1 and prior contain a cross-site scripting (XSS) vulnerability via a crafted payload injected into the Comment box under the Single Page module. There are no patches and no known workarounds for this issue.

GHSA-pwq7-f7f9-cm2j: Dutchoders transfer.sh contains an XSS vulnerability via malicious file upload

dutchcoders Transfer.sh versions 1.4.0 and prior are vulnerable to Cross Site Scripting (XSS) via a malicious document uploaded in transfer.sh. There is a fix commit merged into [main](https://github.com/dutchcoders/transfer.sh/commit/31ad4e01e158497519f8680c187e1ceb8594c59d) for this issue, but an updated version has not yet been released.

CVE-2022-40472: ZKBio Time - CSV Injection

ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module.

CVE-2022-35137: CVE-ID: CVE-2022-35137

DGIOT Lightweight industrial IoT v4.5.4 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities.

CVE-2022-40879: Another kkFileView XSS Vulnerability · Issue #389 · kekingcn/kkFileView

kkFileView v4.1.0 is vulnerable to Cross Site Scripting (XSS) via the parameter 'errorMsg.'

Joomla EDocman 1.23.3 Cross Site Scripting

Joomla EDocman extension version 1.23.3 suffers from a cross site scripting vulnerability.