Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-27090: CVE update request: TeaCMS has XSS defects · Issue #I6L9Z2 · XiaoBingBy/TeaCMS - Gitee.com

Cross Site Scripting vulnerability found in TeaCMS storage allows attacker to cause a leak of sensitive information via the article title parameter.

CVE
#xss#vulnerability#git

When the title is added to the article published by ordinary users, the title format is not filtered, which can leak sensitive information. Users can publish articles titled <script>alert(document.cookie)</script>, which will cause user cookie leakage when accessed.

缺陷代码位置:/admin/article-new.html
@RequestMapping(value = “/article-new.html”)
public String articleNew(ModelMap modelMap) {
List allCategory = commonMapper.findAllCategory();
List allTag = commonMapper.findAllTag();
/** * 插入图片 */
List allImg = multimediaMapper.findAllImg(null);
PageInfo allImgInfo = new PageInfo(allImg);
modelMap.put("allCategory", allCategory);
modelMap.put("allTag", allTag);
modelMap.put("allImgInfo", allImgInfo.getList());
return “_admin/article/article_new”

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907