GHSA-2rmj-mq67-h97g: Spring Framework DoS via conditional HTTP request

GHSA-gcx4-mw62-g8wm: DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

GHSA-8fx8-3rg2-79xw: Camaleon CMS vulnerable to stored XSS through user file upload (GHSL-2024-184)

GHSA-3hp8-6j24-m5gm: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)

GHSA-2wq5-g96f-mv3v: Ouch! allows a segmentation fault due to use of uninitialized memory

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. 


Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension. 


The README has been updated to include these guidelines.




**class.upload.php allows cross-site scripting attacks via uploaded files**

Moderate severity GitHub Reviewed Published Jan 4, 2024 to the GitHub Advisory Database • Updated Jan 4, 2024

Headline

GHSA-v6f4-jwv9-682w: class.upload.php allows cross-site scripting attacks via uploaded files

ghsa: Latest News