Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-gh4g-65f6-84g5: pimcore is vulnerable to cross-site scripting

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.19.

ghsa
Open in Source
#xss#git
GHSA-p4g9-c9qr-wmg5: Cross-site Scripting in django-ajax-utilities

A vulnerability was found in Mobile Vikings Django AJAX Utilities and classified as problematic. This issue affects the function Pagination of the file django_ajax/static/ajax-utilities/js/pagination.js of the component Backslash Handler. The manipulation of the argument url leads to cross site scripting. The attack may be initiated remotely. The patch is on commit 329eb1dd1580ca1f9d4f95bc69939833226515c9 which has been inclused in release 1.2.8. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-222611.

GHSA-j83x-r9qq-9g4v: Froxlor is vulnerable to authentication bypass

Authentication Bypass by Primary Weakness in GitHub repository froxlor/froxlor prior to 2.0.13.

GHSA-6w5f-5wgr-qjg5: Constellation allows Emergency shell access during initramfs boot phase

### Impact An active attacker could let the boot fail on purpose in the initramfs, dropping the serial console into an emergency shell. This gives attackers with access to the serial console full control over the VM. ### Patches The issue has been patched in [v2.6.0](https://github.com/edgelesssys/constellation/releases/tag/v2.6.0). ### Workarounds none

GHSA-wj6x-hcc2-f32j: Consul Server Panic when Ingress and API Gateways Configured with Peering Connections

A vulnerability was identified in Consul and Consul Enterprise (“Consul”) an authenticated user with service:write permissions could trigger a workflow that causes Consul server and client agents to crash under certain circumstances. To exploit this vulnerability, an attacker requires access to an ACL token with service:write permissions, and there needs to be at least one running ingress or API gateway that is configured to route traffic to an upstream service.

GHSA-8jv7-vwrc-mv4g: Cross-site Scripting (XSS) in pimcore/pimcore

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.5.19.

GHSA-cxx3-36qc-m6qm: node-bluetooth is vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation

All versions of the package node-bluetooth are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation.

GHSA-9jh3-4pc9-hq29: node-bluetooth-serial-port is vulnerable to Buffer Overflow via the findSerialPortChannel

All versions of the package node-bluetooth-serial-port are vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation.

GHSA-pvp6-53r9-8vxh: SQL Injection in Funadmin

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/table/list.

GHSA-9wf9-qvvp-2929: builderio/qwik is vulnerable to code injection

Code Injection in GitHub repository builderio/qwik prior to 0.21.0. The Function deserializer can be accessed using the pureServerFunction feature. This allows any Javascript code to be run by node.js.