Security
Headlines

Headlines Latest CVEs

Headline

GHSA-jfxf-4frr-9j3q: XSS in various backend modules due to (un)escaping in JS notification module

The notification module displaying flash messages unscapes HTML coming from the server, resulting in XSS vulnerabilities with various names and labels of entities (eg. workspace title or media title). This however means you must be a logged in user with respective rights in the first place to leverage the attack vector.

2 years ago

#xss #vulnerability #js #git

GitHub Advisory Database
GitHub Reviewed
GHSA-jfxf-4frr-9j3q

XSS in various backend modules due to (un)escaping in JS notification module

Package

Affected versions

>= 3.3, < 5.3.10

>= 7.0.0, < 7.0.9

>= 7.1.0, < 7.1.7

>= 7.2.0, < 7.2.6

>= 7.3.0, < 7.3.4

>= 8.0.0, < 8.0.2

Patched versions

5.3.10

7.0.9

7.1.7

7.2.6

7.3.4

8.0.2

Description

Weaknesses

GHSA ID

GHSA-jfxf-4frr-9j3q

Source code

Improvements are not currently accepted on this advisory because it uses an unsupported versioning operator. Read more and discuss here.

ghsa: Latest News

GHSA-pqhp-25j4-6hq9: smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables

22 minutes ago

GHSA-v5h2-q2w4-gpcx: Sentry improper error handling leaks Application Integration Client Secret

36 minutes ago

GHSA-8w49-h785-mj3c: Tornado has an HTTP cookie parsing DoS vulnerability

36 minutes ago

GHSA-m52v-24p8-654f: SurrealDB has an Uncaught Exception Sorting Tables by Random Order

51 minutes ago

GHSA-jc55-246c-r88f: SurrealDB has an Uncaught Exception Handling Nonexistent Role

51 minutes ago