Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-4321: prevent xhtml files from being uploaded in the assets manager · Cockpit-HQ/Cockpit@34ab31e

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.4.3.

CVE
Open in Source
#xss#git#php

Expand Up @@ -68,8 +68,11 @@ $allowed = $allowed == ‘*’ ? true : str_replace([' ', ‘,’], ['’, ‘|’], preg_quote(is_array($allowed) ? implode(',’, $allowed) : $allowed)); $max_size = $this->app->retrieve('assets/max_upload_size’, 0);
$forbiddenExtension = ['php’, 'phar’, 'phtml’, 'phps’, 'htm’, 'html’, ‘htaccess’]; $forbiddenMime = ['application/x-httpd-php’, ‘text/html’]; $forbiddenExtension = ['php’, 'phar’, 'phtml’, 'phps’, 'htm’, 'html’, 'xhtml’, ‘htaccess’]; $forbiddenMime = [ 'application/x-httpd-php’, 'application/x-php’, 'text/x-php’, 'text/html’, ‘application/xhtml+xml’ ];
if (isset($files[‘name’]) && is_array($files[‘name’])) {
Expand Down

Related news

GHSA-3vf5-xm2p-6mh5: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit 2.6.2 and prior. A patch is available at commit 34ab31ee9362da51b9709e178469dbffd7717249.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE