File upload vulnerability in GFI Mail Archiver versions up to and including 15.1 via insecure implementation of Telerik Web UI plugin which is affected by CVE-2014-2217, and CVE-2017-11317.

CVE-2021-29281: Unrestricted File Upload | OWASP Foundation

Magnolia CMS v6.2.19 was discovered to contain a cross-site scripting (XSS) vulnerability via the Edit Contact function. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

CVE-2022-33098

In Apache Druid 0.22.1 and earlier, certain specially-crafted links result in unescaped URL parameters being sent back in HTML responses. This makes it possible to execute reflected XSS attacks.

**Email display mode:**

Modern rendering  
Legacy rendering

CVE-2021-44791

Bookwyrm is an open source social reading and reviewing program. Versions of Bookwyrm prior to 0.4.1 did not properly sanitize html being rendered to users. Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses. These vulnerabilities may be exploited as cross site scripting attacks on users viewing these fields. Users are advised to upgrade to version 0.4.1. There are no known workarounds for this issue.


**Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in BookWyrm**

**Package**

BookWyrm (Installed application)

**Affected versions**

< v0.4.1

**Description**

**Impact**

Unprivileged users are able to inject scripts into user profiles, book descriptions, and statuses.

**Patches**

Patched in version v0.4.1

**Workarounds**

Limit registration to only trusted users.

**References**

XSS-OSWAP

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in BookWyrm
*   Email us at mousereeve@riseup.net

CVE-2022-31136

HumHub is an Open Source Enterprise Social Network. Affected versions of HumHub are vulnerable to a stored Cross-Site Scripting (XSS) vulnerability. For exploitation, the attacker would need a permission to administer the Spaces feature. The names of individual "spaces" are not properly escaped and so an attacker with sufficient privilege could insert malicious javascript into a space name and exploit system users who visit that space. It is recommended that the HumHub is upgraded to 1.11.4, 1.10.5. There are no known workarounds for this issue.


@@ -102,7 +102,7 @@ private function initProfileFieldFilter(ProfileField $profileField, $sortOrder = $fieldType = isset($definition\[$profileField\->internal\_name\]\['type'\]) ? $definition\[$profileField\->internal\_name\]\['type'\] : null;  
$filterData = \[ 'title' => Yii::t($profileField\->getTranslationCategory(), $profileField\->title), 'title' => Html::encode(Yii::t($profileField\->getTranslationCategory(), $profileField\->title)), 'type' => $fieldType, 'sortOrder' => $sortOrder, \];

CVE-2022-31133: Fix format of displaying user profile title field on "People" page (#… · humhub/humhub@07d9f8f

Four high, six medium, and one low severity issue fixed

Four high, six medium, and one low severity issue fixed

Fortinet has addressed a raft of security vulnerabilities affecting several of its endpoint security products.

The California-headquartered cybersecurity giant, which accounts for more than a third of all firewall and unified threat management shipments worldwide, released a huge number of firmware and software updates on Tuesday (July 5).

A quartet of high severity flaws includes multiple relative path traversal bugs in the management interface of FortiDeceptor, which spins up virtual machines that serve as honeypots for network intruders (CVE-2022-30302).

RECOMMENDED High severity OpenSSL bug could lead to remote code execution

Abuse of these “may allow a remote and authenticated attacker to retrieve and delete arbitrary files from the underlying filesystem via specially crafted web requests”, according to the corresponding Fortinet advisory.

Similarly, attackers could achieve privilege escalation in Windows versions of endpoint protection and VPN product FortiClient via path traversal in the named pipe responsible for the FortiESNAC service (CVE-2021-41031).

The FortiNAC network access control solution, meanwhile, suffered from an “empty password in configuration file vulnerability” through which an authenticated attacker could access the MySQL databases via the command line interface (CLI) (CVE-2022-26117).

**Additional bugs**

The other high severity issue, which applies to security event analysis appliance FortiAnalyzer, the FortiManager network management device, the FortiOS operating system, and the FortiProxy web proxy, “may allow a privileged attacker to execute arbitrary code or command via crafted CLI ‘execute restore image’ and ‘execute certificate remote’ operations with the TFTP protocol” (CVE-2021-43072).

Medium severity issues in the patch batch include SQL injection vulnerabilities in the FortiADC application delivery controller (CVE-2022-26120) and an OS command injection vulnerability in CLI in FortiAnalyzer and FortiManager (CVE-2022-27483).

Catch up with the latest enterprise security news

Meanwhile, cross-site scripting (XSS) issues in the FortiEDR endpoint security solution (CVE-2022-29057); a privilege escalation bug in FortiManager and FortiAnalyzer (CVE-2022-26118); and stack-based buffer overflows in diagnostic CLI commands affecting FortiOS and FortiProxy (CVE-2021-44170).

The sixth and final medium severity issue is an integer overflow in dhcpd daemon impacting FortiOS, FortiProxy, FortiSwitch ethernet switches, the FortiRecoder video surveillance system, and the FortiVoiceEnterprise communications system, (CVE-2021-42755).

Last and least, in threat terms, is a low severity XSS vulnerability affecting FortiOS (CVE-2022-23438).

YOU MIGHT ALSO LIKE Spring Data MongoDB hit by another critical SpEL injection flaw

Fortinet patch batch remedies multiple path traversal vulnerabilities

EQS Integrity Line through 2022-07-01 allows a stored XSS via a crafted whistleblower entry.

CVE-2022-34007: Compliance

The Appfire Jira Misc Custom Fields (JMCF) app 2.4.6 for Atlassian Jira allows XSS via a crafted project name to the Add Auto Indexing Rule function.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2022-039 Product: Jira Misc Custom Fields (JMCF) Manufacturer: Appfire Affected Version(s): 2.4.6 Tested Version(s): 2.4.6 Vulnerability Type: Stored Cross-Site Scripting (CWE-79) Risk Level: Medium Solution Status: Closed Manufacturer Notification: 2022-05-27 Solution Date: 2022-06-29 Public Disclosure: 2022-07-07 CVE Reference: CVE-2022-32567 Author of Advisory: Lukas Faiß, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Jira Misc Custom Fields (JMCF) is an add-on for Jira to perform custom calculations. The manufacturer describes the product as follows (see \[1\]): "JMCF by Appfire lets you easily expose 'hidden' issue information and create calculations - from simple math operations to sophisticated Groovy scripts." Due to insufficient input validation of user-provided input, JMCF is vulnerable to cross-site scripting (XSS) attacks. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The 'Add Auto Indexing Rule' function is prone to a stored XSS attack. XSS vulnerabilities allow an attacker to embed malicious JavaScript code into server replies which is later executed in the browsers of other users. By executing JavaScript, attackers can, for example, perform actions in the context of other logged-in users. For testing purposes, the add-on of the manufacturer\[1\] was used in a local Jira Server\[4\] installation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The combo box project selection within the 'Add Auto Indexing Rule' function is vulnerable to an XSS attack. If a project with the name "Pent" is created, it will be loaded via the following request when loading the projects: GET /rest/jmcf/1/project/picker?query=&maxResults=1000&showAvatar=true HTTP/2 Host: \[REDACTED\] Cookie: Sec-Ch-Ua: " Not A;Brand";v="99", "Chromium";v="101", "Google Chrome";v="101" Accept: application/json, text/javascript, \*/\*; q=0.01 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Sec-Ch-Ua-Platform: "Linux" Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://\[REDACTED\]/secure/JMCFEditIndexingRule!Default.jspa?id= Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 The response contains the project names. Within this page, the malicious code is now being executed. Here is a line of the response that contains the malicious stored project name: ,{ "name":"PentProj (PSOPPPP)", "key":"PSOPPPP", "html":"PentProj (PSOPPPP)" }, ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Context-sensitive HTML encoding of project names. More information: https://cheatsheetseries.owasp.org/cheatsheets/Cross\_Site\_Scripting\_ Prevention\_Cheat\_Sheet.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2022-05-12: Vulnerability discovered 2022-05-27: Vulnerability reported to manufacturer 2022-06-29: Patch released by manufacturer 2022-07-07: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: \[1\] Product website for Jira Misc Custom Fields (JMCF) https://marketplace.atlassian.com/apps/27136/jira-misc-custom-fields-jmcf?hosting=server&tab=overview \[2\] SySS Security Advisory SYSS-2022-039 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-039.txt \[3\] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy \[4\] Jira Core Server https://www.atlassian.com/software/jira/core/download ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Lukas Faiß of SySS GmbH. E-Mail: lukas.faiss@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Lukas\_Fai%C3%9F.asc Key Fingerprint: A145 2068 8E74 5053 A7BE 97C3 D78E AE2E B739 3EEA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEoUUgaI50UFOnvpfD146uLrc5PuoFAmLFP9EACgkQ146uLrc5 Pup4yw//QVBRL7vL1QJBPZKUh3tQDka1+1yjOt/IixC1WoccjwTT6Zv+Pb2C8bEJ vCeoqQfBGQeVbiqVaMEiora9ijbDZLorDhjK8UIa3nUGzXGSqgiGJoxDHSe3q1Vr KKOMDqslQP5Zb5CowVtqcNww/ulWm+brr+w6e+sHkc7ibsTPeZaZdh82vqHFs+rb bxcshi+H5kI+QqzKjyP+d+bKoFRbEiKqYX+SRxgY+dY8nGDN3WPIlHie597Jni/M 8QeEjo6owb4QapF7A9emb0PsxJte3nZNeB0NzeHeW0b990Jczl5a4aRZrqKLUq6b Qrmq8Fe8dxr7Gz9btSBFOlbv8B+hSyQNsjvolcjr+0G5czDp6vPvFfP2csJX8hb7 +68xqA5SqL1WBMIWnlddJMC1vknQHvnDkHzl45DPWIWFPMSrBDodQ+A0VkeYe+rd F6jNw2DVXp7Ln2Z2n/OdbhK6+qsLXRB3s6l6sbCsxAI3pvBnNvvq3MjpzBpCvoP4 KvBgu23nucCGGhk3cVWc2iEEcS2aG6FRljiKoYy0+FveyUrB52sTMlD7JttAvgD1 JLJ1df2gDjQ4UOfwaGSl2rQDKWu7M6pxG5jLNvqU1FnQHzlJ8xMaA4K6t3b/oFi8 IKoE7A1LLmkgNpKtqYwFLgVgF+kBro7JYW0NnqXvn92tAXTvQyI= =ZLwT -----END PGP SIGNATURE-----

CVE-2022-32567

Cross-site Scripting (XSS) - Stored in GitHub repository outline/outline prior to v0.64.4.

Permalink

Browse files

0.64.4

*   Loading branch information

tommoor committed

Jul 6, 2022

1 parent 0e93732 commit 85657b7340cdeaa696034f294489df8d6a4914d3

Showing **1 changed file** with **1 addition** and **1 deletion**.

2 package.json

Show comments View file

@@ -329,5 +329,5 @@

"dot-prop": "^5.2.0",

"js-yaml": "^3.14.1"

},

"version": "0.64.3"

"version": "0.64.4"

}

**0 comments on commit 85657b7**

Please sign in to comment.

CVE-2022-2342: 0.64.4 · outline/outline@85657b7

** UNSUPPORTED WHEN ASSIGNED ** Apache Jetspeed-2 does not sufficiently filter untrusted user input by default leading to a number of issues including XSS, CSRF, XXE, and SSRF. Setting the configuration option "xss.filter.post = true" may mitigate these issues. NOTE: Apache Jetspeed is a dormant project of Apache Portals and no updates will be provided for this issue.

**Insufficient user input in Apache Jetspeed-2**

High severity GitHub Reviewed Published Jul 7, 2022 • Updated Jul 8, 2022

Tag

#xss