Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

VMware Releases Patches for Several New Flaws Affecting Multiple Products

Virtualization services provider VMware on Tuesday shipped updates to address 10 security flaws affecting multiple products that could be abused by unauthenticated attackers to perform malicious actions. The issues tracked from CVE-2022-31656 through CVE-2022-31665 (CVSS scores: 4.7 - 9.8) affect the VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager

The Hacker News
Open in Source
#sql#xss#vulnerability#java#rce#vmware#auth#The Hacker News
CVE-2022-36197: A stored cross-site scripting (XSS) vulnerability exists in BigTree CMS 4.4.16 · Issue #392 · bigtreecms/BigTree-CMS

BigTree CMS 4.4.16 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted PDF file.

CVE-2022-23733

A stored XSS vulnerability was identified in GitHub Enterprise Server that allowed the injection of arbitrary attributes. This injection was blocked by Github's Content Security Policy (CSP). This vulnerability affected all versions of GitHub Enterprise Server prior to 3.6 and was fixed in versions 3.3.11, 3.4.6 and 3.5.3. This vulnerability was reported via the GitHub Bug Bounty program.

CVE-2022-1293: Security Updates | Ercom

The embedded neutralization of Script-Related HTML Tag, was by-passed in the case of some extra conditions.

CVE-2022-34625: CWE-94: Improper Control of Generation of Code ('Code Injection') (4.8)

Mealie1.0.0beta3 was discovered to contain a Server-Side Template Injection vulnerability, which allows attackers to execute arbitrary code via a crafted Jinja2 template.

CVE-2022-34618: Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking in mealie

A stored cross-site scripting (XSS) vulnerability in Mealie 1.0.0beta3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the recipe description text field.

Delta Electronics DIAEnergie (Update C)

This updated advisory is a follow-up to the advisory update titled ICSA-21-238-03 Delta Electronics DIAEnergie (Update B) that was published March 22, 2022, on the ICS webpage at www.cisa.gov/ics. This advisory contains mitigations for Use of Password Hash with Insufficient Computational Effort, Authentication Bypass Using an Alternate Path or Channel, Unrestricted Upload of File with Dangerous Type, SQL Injection, Cross-site Request Forgery, Cross-site Scripting, and Cleartext Transmission of Sensitive Information vulnerabilities in Delta Electronics DIAEnergie, an industrial energy management system.

GHSA-6hcj-qrw3-m66q: Fava before 1.22.3 vulnerable to reflected cross-site scripting

Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.