#git

A vulnerability was found in SourceCodester Simple Online Mens Salon Management System 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/?page=user/list. The manipulation of the argument First Name/Last Name/Username leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235607.

Cybersecurity agencies in Australia and the U.S. have published a joint cybersecurity advisory warning against security flaws in web applications that could be exploited by malicious actors to orchestrate data breach incidents and steal confidential data. This includes a specific class of bugs called Insecure Direct Object Reference (IDOR), a type of access control flaw that occurs when an

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff within the GitHub pull request UI. To do so, an attacker would need write access to the repository. This vulnerability affected GitHub Enterprise Server versions 3.7.0 and above and was fixed in versions 3.7.9, 3.8.2, and 3.9.1. This vulnerability was reported via the GitHub Bug Bounty program.

The National Security Agency has urged top lawmakers to resist demands that it obtain warrants for sensitive data sold by data brokers.

Affected versions of this crate have a stacked borrows violation when creating references to interned contents. All interner types are affected. The flaw was corrected in version 1.9.0 by reordering move and borrowing operations and storing interned contents by raw pointer instead of as a `Box`.

## Impact The mail obfuscation configuration was not fully taken into account and is was still possible by obfuscated emails. See https://jira.xwiki.org/browse/XWIKI-20601 for the reproduction steps. ## Patches This has been patched in XWiki 14.10.9, and XWiki 15.3-rc-1. ## Workarounds The workaround is to modify the page XWiki.LiveTableResultsMacros following this [patch](https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c). ## References - https://jira.xwiki.org/browse/XWIKI-20601 - https://github.com/xwiki/xwiki-platform/commit/1dfb6804d4d412794cbe0098d4972b8ac263df0c ## For more information If you have any questions or comments about this advisory: - Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) - Email us at [Security Mailing List](mailto:[email protected])

Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s prior to 4.0.2.

Server-Side Request Forgery (SSRF) in GitHub repository omeka/omeka-s prior to 4.0.2.

Cross-site Scripting (XSS) - Stored in GitHub repository omeka/omeka-s prior to 4.0.2.

Tolgee is an open-source localization platform. Starting in version 3.14.0 and prior to version 3.23.1, when a request is made using an API key, the backend fails to verify the permission scopes associated with the key, effectively bypassing permission checks entirely for some endpoints. It's important to note that this vulnerability only affects projects that have inadvertently exposed their API keys on the internet. Projects that have kept their API keys secure are not impacted. This issue is fixed in version 3.23.1.