Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37786: GitHub - CrownZTX/reflectedxss1: Reflected XSS Vulnerabilitiy in public_html/admin/configuration.php of Geeklog v2.2.2

Multiple cross-site scripting (XSS) vulnerabilities in Geeklog v2.2.2 allow attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Mail Settings[backend], Mail Settings[host], Mail Settings[port] and Mail Settings[auth] parameters of the /admin/configuration.php.

CVE
#xss#vulnerability#web#git#php#auth

Reflected XSS 1

Geeklog v2.2.2 is vulnerable to Reflected Cross-Site Scripting (XSS) in public_html/admin/configuration.php

Vendor:https://github.com/Geeklog-Core/geeklog

PoC

  1. Log in to the Geeklog’s admin account and Navigate to Configuration->Mail.

  2. Enter the payload to the input area of Mail Settings[backend] and click on SAVE CHANGES. The payload is

    "><script>alert(‘xss’);</script>

  1. We can observe the payload getting triggered.

4.Similarly, we can enter the payload to the input area of Mail Settings[host], Mail Settings[port] and Mail Settings[auth].

  1. We can observe all payloads getting triggered.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907