Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-3580: Html Injection in Contributors in squidex

Improper Handling of Additional Special Element in GitHub repository squidex/squidex prior to 7.4.0.

CVE
Open in Source
#google#js#git

Description

Html injection in Contributors and just only need html payload in Display Name and fire in Contributors list

Proof of Concept

1. Login to squidex 
2. Create an app with random name.
2. Go to Edit Profile then Edit users display name with html payload = <h1>Sanket_722</h1>
3. Go to https://localhost/app/{App/Random Name}/settings/contributors 
For Full understanding check POC : https://drive.google.com/file/d/1W8KdHgQKBRvRDKbNnPvrv9fYWItI9gQa/view?usp=sharing
// PoC.js
var payload = <h1>Sanket_722</h1>

Impact

inert html character in Contributors list and change response with special character

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE