Security
Headlines
HeadlinesLatestCVEs

Tag

#git

CVE-2023-40711: CHANGELOG.md · main · Veilid / veilid · GitLab

Veilid before 0.1.9 does not check the size of uncompressed data during decompression upon an envelope receipt, which allows remote attackers to cause a denial of service (out-of-memory abort) via crafted packet data, as exploited in the wild in August 2023.

CVE
Open in Source
#dos#git
Security News This Week: US Energy Firm Targeted With Malicious QR Codes in Mass Phishing Attack

New research reveals the strategies hackers use to hide their malware distribution system, and companies are rushing to release mitigations for the “Downfall” processor vulnerability on Intel chips.

CVE-2023-2318: Security Issue: DOM-Based XSS leading to RCE · Issue #3618 · marktext/marktext

DOM-based XSS in src/muya/lib/contentState/pasteCtrl.js in MarkText 0.17.1 and before on Windows, Linux and macOS allows arbitrary JavaScript code to run in the context of MarkText main window. This vulnerability can be exploited if a user copies text from a malicious webpage and paste it into MarkText.

GHSA-rmgx-3w4r-xcfp: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 2a93d391fbd2dd9e730f65d43b29beb65903d195 and anticipated to be part of version 2.6.4.

GHSA-ff45-2jp9-69jc: Cockpit Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit version 2.6.3 and prior. A patch is available at commit 36d1d4d256cbbab028342ba10cc493e5c119172c and anticipated to be part of version 2.6.4.

CVE-2023-4432: Fix possible Cross-site Scripting (XSS) in Rest/GraphQL viewer · Cockpit-HQ/Cockpit@2a93d39

Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4433

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

GHSA-23qf-3jf9-h3q9: Apache NiFi Insufficient Property Validation vulnerability

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

CVE-2023-40037: Apache NiFi Security Reports

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.

CVE-2023-40174: added session expiration · fobybus/social-media-skeleton@99738b2

Social media skeleton is an uncompleted/framework social media project implemented using a php, css ,javascript and html. Insufficient session expiration is a web application security vulnerability that occurs when a web application does not properly manage the lifecycle of a user's session. Social media skeleton releases prior to 1.0.5 did not properly limit manage user session lifecycles. This issue has been addressed in version 1.0.5 and users are advised to upgrade. There are no known workarounds for this vulnerability.