#git

In Eclipse Ditto starting in version 3.0.0 and prior to versions 3.4.5 and 3.5.6, the user input of several input fields of the Eclipse Ditto Explorer User Interface https://eclipse.dev/ditto/user-interface.html was not properly neutralized and thus vulnerable to both Reflected and Stored XSS (Cross Site Scripting). Several inputs were not persisted at the backend of Eclipse Ditto, but only in local browser storage to save settings of "environments" of the UI and e.g. the last performed "search queries", resulting in a "Reflected XSS" vulnerability. However, several other inputs were persisted at the backend of Eclipse Ditto, leading to a "Stored XSS" vulnerability. Those mean that authenticated and authorized users at Eclipse Ditto can persist Things in Ditto which can - when being displayed by other users also being authorized to see those Things in the Eclipse Ditto UI - cause scripts to be executed in the browser of other users.

A Server-Side Request Forgery (SSRF) vulnerability in the /Upgrade/FixConfig route in Open Library Foundation VuFind 2.0 through 9.1 before 9.1.1 allows a remote attacker to overwrite local configuration files to gain access to the administrator panel and achieve Remote Code Execution. A mitigating factor is that it requires the allow_url_include PHP runtime setting to be on, which is off in default installations. It also requires the /Upgrade route to be exposed, which is exposed by default after installing VuFind, and is recommended to be disabled by setting autoConfigure to false in config.ini.

A Server-Side Request Forgery (SSRF) vulnerability in the /Cover/Show route (showAction in CoverController.php) in Open Library Foundation VuFind 2.4 through 9.1 before 9.1.1 allows remote attackers to access internal HTTP servers and perform Cross-Site Scripting (XSS) attacks by proxying arbitrary URLs via the proxy GET parameter.

By Waqas Unfading Sea Haze's modus operandi spans over five years, with evidence dating back to 2018, reveals Bitdefender Labs' investigation. This is a post from HackRead.com Read the original post: New APT Group “Unfading Sea Haze” Hits Military Targets in South China Sea

A vulnerability exists in the permission validation for SiteTree object creation. By default user permissions are not validated by the SiteTree::canCreate method, unless overridden by user code or via the configuration system. This vulnerability will allow users, or unauthenticated guests, to create new SiteTree objects in the database. This vulnerability is present when such users are given CMS access via other means, or if there is another mechanism (such as RestfulServer module) which allows model editing and relies on model-level permission checks. This vulnerability is restricted to the creation of draft or live pages, and does not allow users to edit, publish, or unpublish existing pages. All users should upgrade as soon as possible.

A cross-site scripting vulnerability has been discovered in the VirtualPage class. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the textfields of a page which a VirtualPage refers to. This has been resolved by ensuring that VirtualPage safely escapes all field content.

### **Summary** A vulnerability has been found in Dapr that causes a leak of the application token of the invoker app to the invoked app when using Dapr as a gRPC proxy for remote service invocation. This issue arises because Dapr sends the app token of the invoker app instead of the app token of the invoked app. Users who leverage Dapr for gRPC proxy service invocation and are using the app API token feature are encouraged to upgrade Dapr to version [1.13.3](https://github.com/dapr/dapr/releases/tag/v1.13.3). ### Impact This vulnerability impacts Dapr users who use Dapr as a gRPC proxy for remote service invocation as well as the [Dapr App API token](https://docs.dapr.io/operations/security/app-api-token/) functionality. An attacker could exploit this vulnerability to gain access to the app token of the invoker app, potentially compromising security and authentication mechanisms. ### Patches The issue has been fixed in Dapr version [1.13.3](https://github.com/dapr/dapr/releases/...

Silverpeas Core 6.3 is vulnerable to Cross Site Scripting (XSS) via ClipboardSessionController.

Ghost before 5.82.0 allows CSV Injection during a member CSV export.

A cross-site scripting vulnerability has been discovered in the CMS page history tab. This vulnerability can only be exploited if a user with CMS access has posted malicious or unescaped HTML into any of the text fields on a page, and if the "compare mode" option is selected. The HTML will be embedded into the page unescaped. This has been resolved by performing the text comparison in a HTML friendly way.