Security
Headlines
HeadlinesLatestCVEs

Source

CVE

CVE-2023-37900: crossplane/security/ADA-security-audit-23.pdf at ac8b24fe739c5d942ea885157148497f196c3dd3 · crossplane/crossplane

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting in exhausting all the available memory and therefore in the container being OOMKilled. The impact is limited due to the high privileges required to be able to create the Package and the eventually consistency nature of controller. This issue is fixed in versions 1.11.5, 1.12.3, and 1.13.0.

CVE
Open in Source
#vulnerability#git#pdf
CVE-2023-3973: 21.6.3 release · jgraph/drawio@1db2c2c

Cross-site Scripting (XSS) - Reflected in GitHub repository jgraph/drawio prior to 21.6.3.

CVE-2023-37977: WordPress WPFunnels plugin <= 2.7.16 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in WPFunnels Team Drag & Drop Sales Funnel Builder for WordPress – WPFunnels plugin <= 2.7.16 versions.

CVE-2023-3974: 21.4.0 release · jgraph/drawio@9d6532d

OS Command Injection in GitHub repository jgraph/drawio prior to 21.4.0.

CVE-2023-3975: huntr – Security Bounties for any GitHub repository

OS Command Injection in GitHub repository jgraph/drawio prior to 21.5.0.

CVE-2023-37970: WordPress MF Gig Calendar plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Matthew Fries MF Gig Calendar plugin <= 1.2 versions.

CVE-2023-37975: WordPress Variation Swatches for WooCommerce plugin <= 2.3.7 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Swatches for WooCommerce plugin <= 2.3.7 versions.

CVE-2023-37894: WordPress Variation Images Gallery for WooCommerce plugin <= 2.3.3 - Reflected Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in RadiusTheme Variation Images Gallery for WooCommerce plugin <= 2.3.3 versions.

CVE-2023-37976: WordPress Radio Forge Muses Player with Skins plugin <= 2.5 - Cross Site Scripting (XSS) vulnerability - Patchstack

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Radio Forge Muses Player with Skins plugin <= 2.5 versions.

CVE-2023-38490: XML External Entity (XXE) vulnerability in the XML data handler

Kirby is a content management system. A vulnerability in versions prior to 3.5.8.3, 3.6.6.3, 3.7.5.2, 3.8.4.1, and 3.9.6 only affects Kirby sites that use the `Xml` data handler (e.g. `Data::decode($string, 'xml')`) or the `Xml::parse()` method in site or plugin code. The Kirby core does not use any of the affected methods. XML External Entities (XXE) is a little used feature in the XML markup language that allows to include data from external files in an XML structure. If the name of the external file can be controlled by an attacker, this becomes a vulnerability that can be abused for various system impacts like the disclosure of internal or confidential data that is stored on the server (arbitrary file disclosure) or to perform network requests on behalf of the server (server-side request forgery, SSRF). Kirby's `Xml::parse()` method used PHP's `LIBXML_NOENT` constant, which enabled the processing of XML external entities during the parsing operation. The `Xml::parse()` method is ...