Security
Headlines
HeadlinesLatestCVEs

Tag

#java

Confidence in File Upload Security is Alarmingly Low. Why?

Numerous industries—including technology, financial services, energy, healthcare, and government—are rushing to incorporate cloud-based and containerized web applications.  The benefits are undeniable; however, this shift presents new security challenges.  OPSWAT's 2023 Web Application Security report reveals: 75% of organizations have modernized their infrastructure this year. 78% have

The Hacker News
Open in Source
#vulnerability#web#mac#java#kubernetes#backdoor#pdf#aws#zero_day#docker#ssl#The Hacker News
CVE-2023-5532: ImageMapper <= 1.2.6 - Cross-Site Request Forgery to Stored Cross-Site Scripting via imgmap_save_area_title — Wordfence Intelligence

The ImageMapper plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.6. This is due to missing or incorrect nonce validation on the 'imgmap_save_area_title' function. This makes it possible for unauthenticated attackers to update the post title and inject malicious JavaScript via a forged request, granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-47102: Quantiano

UrBackup Server 2.5.31 allows brute-force enumeration of user accounts because a failure message confirms that a username is not valid.

CVE-2023-46998: Document or fix possible XSS vulnerability (via jquery) · Issue #661 · bootboxjs/bootbox

Cross Site Scripting vulnerability in BootBox Bootbox.js v.3.2 through 6.0 allows a remote attacker to execute arbitrary code via a crafted payload to alert(), confirm(), prompt() functions.

CVE-2023-5904: Stored xss using journal-name in journal-tab in pkp-lib

Cross-site Scripting (XSS) - Stored in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2023-5901: Cross-Site Scripting ( XSS) Via file upload in pkp-lib

Cross-site Scripting in GitHub repository pkp/pkp-lib prior to 3.3.0-16.

CVE-2022-48193: SYT-2022-11: Multiple vulnerabilities in smartLink SW-HT

Weak ciphers in Softing smartLink SW-HT before 1.30 are enabled during secure communication (SSL).

CVE-2023-46251: Fix Visual editor size code persistent XSS · mybb/mybb@6dcaf0b

MyBB is a free and open source forum software. Custom MyCode (BBCode) for the visual editor (_SCEditor_) doesn't escape input properly when rendering HTML, resulting in a DOM-based XSS vulnerability. This weakness can be exploited by pointing a victim to a page where the visual editor is active (e.g. as a post or Private Message) and operates on a maliciously crafted MyCode message. This may occur on pages where message content is pre-filled using a GET/POST parameter, or on reply pages where a previously saved malicious message is quoted. The impact is be mitigated when: 1. the visual editor is disabled globally (_Admin CP ? Configuration ? Settings ? Clickable Smilies and BB Code: [Clickable MyCode Editor](https://github.com/mybb/mybb/blob/mybb_1836/install/resources/settings.xml#L2087-L2094)_ is set to _Off_), or 2. the visual editor is disabled for individual user accounts (_User CP ? Your Profile ? Edit Options_: _Show the MyCode formatting options on the posting pages_ checkbox ...

CVE-2023-47272: Fix cross-site scripting (XSS) vulnerability in setting Content-Type/… · roundcube/roundcubemail@5ec4968

Roundcube 1.5.x before 1.5.6 and 1.6.x before 1.6.5 allows XSS via a Content-Type or Content-Disposition header (used for attachment preview or download).

CVE-2023-41726

Ivanti Avalanche Incorrect Default Permissions allows Local Privilege Escalation Vulnerability