GHSA-8fh4-942r-jf2g: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/pages/device/services.inc.php

GHSA-7q7g-4xm8-89cq: Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit

GHSA-phm4-wf3h-pc3r: Unpatched Remote Code Execution in Gogs

GHSA-x645-6pf9-xwxw: LibreNMS has an Authenticated OS Command Injection

GHSA-gv4m-f6fx-859x: LibreNMS has a Stored XSS ('Cross-site Scripting') in librenms/includes/html/print-customoid.php

As a simple library, class.upload.php does not perform an in-depth check on uploaded files, allowing a stored XSS vulnerability when the default configuration is used. 


Developers must be aware of that fact and use extension whitelisting accompanied by forcing the server to always provide content-type based on the file extension. 


The README has been updated to include these guidelines.




**class.upload.php allows cross-site scripting attacks via uploaded files**

Moderate severity GitHub Reviewed Published Jan 4, 2024 to the GitHub Advisory Database • Updated Jan 4, 2024

Headline

GHSA-v6f4-jwv9-682w: class.upload.php allows cross-site scripting attacks via uploaded files

ghsa: Latest News