In TravianZ 8.3.4 and 8.3.3, Incorrect Access Control in the installation script allows an attacker to overwrite the server configuration and inject PHP code.

CVE-2023-36994: TravianZ Hacked

IBM Cloud Object System 3.15.8.97 is vulnerable to stored cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  213650.

CVE-2021-39014: IBM Cloud Object System cross-site scripting CVE-2021-39014 Vulnerability Report

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the classes/usergroups management section.

CVE-2023-37067: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the session category management section.

CVE-2023-37065: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the extra fields management section.

CVE-2023-37064: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the skills wheel.

CVE-2023-37066: Security issues - Chamilo LMS

Chamilo 1.11.x up to 1.11.20 allows users with admin privilege account to insert XSS in the careers & promotions management section.

CVE-2023-37063: Security issues - Chamilo LMS

A Cross-site scripting (XSS) vulnerability in the content editor in Gis3W g3w-suite 3.5 allows remote authenticated users to inject arbitrary web script or HTML and gain privileges via the description parameter.

**G3W-SUITE**

G3W-SUITE is the easiest way to publish QGIS projects on WebGIS services.

G3W-SUITE is a framework built with Django and VueJs,.

**Pinned**

1.  Server module for G3W-SUITE
    
    JavaScript 30 30
    
2.  Run G3W-SUITE stack with docker-compose
    
    HTML 17 25
    
3.  Map viewer addon for G3W-SUITE
    
    JavaScript 14 12
    
4.  Edit and translate G3W-SUITE end-user documentation
    
    Python 1 3
    

**Repositories**

*   Python 0 MPL-2.0 0
    
    0 0
    
    Updated Jul 7, 2023
    
*   Vue 0 MPL-2.0 0
    
    0 0
    
    Updated Jul 7, 2023
    

*   JavaScript
    
    30
    
    MPL-2.0
    
    30 32 6
    
    Updated Jul 6, 2023
    
*   JavaScript 0
    
    3 3 2
    
    Updated Jul 4, 2023
    
*   HTML
    
    17 25 16 5
    
    Updated Jun 22, 2023
    
*   Vue 0
    
    2 1 0
    
    Updated Jun 22, 2023
    
*   0 MPL-2.0 0
    
    3 0
    
    Updated Jun 13, 2023
    
*   JavaScript 0
    
    1 0 0
    
    Updated Jun 8, 2023

CVE-2023-29998: G3W-SUITE

Not yet — but it can help make incremental progress in reducing vulnerability backlogs.

Organizations worldwide are in a race to adopt AI technologies into their cybersecurity programs and tools. A majority (65%) of developers use or plan on using AI in testing efforts in the next three years. There are many security applications that will benefit from generative AI, but is fixing code one of them?

For many DevSecOps teams, generative AI represents the holy grail for clearing their increasing vulnerability backlogs. Well over half (66%) of organizations say their backlogs are comprised of more than 100,000 vulnerabilities, and over two-thirds of static application security testing (SAST) reported findings remain open three months after detection, with 50% remaining open after 363 days. The dream is that a developer could simply ask ChatGPT to "fix this vulnerability," and the hours and days previously spent remediating vulnerabilities would be a thing of the past.

It's not an entirely crazy idea, in theory. After all, machine learning has been used effectively in cybersecurity tools for years to automate processes and save time — AI is hugely beneficial when applied to simple, repetitive tasks. But applying generative AI to complex code applications has some flaws, in practice. Without human oversight and express command, DevSecOps teams could end up creating more problems than they solve.

**Generative AI Advantages and Limitations Related to Fixing Code**

AI tools can be incredibly powerful tools for simple, low-risk cybersecurity analysis, monitoring, or even remedial needs. The concern arises when the stakes become consequential. This is ultimately an issue of trust.

Researchers and developers are still determining the capabilities of new generative AI technology to produce complex code fixes. Generative AI relies on existing, available information in order to make decisions. This can be helpful for things like translating code from one language to another, or fixing well-known flaws. For example, if you ask ChatGPT to "write this JavaScript code in Python," you are likely to get a good result. Using it to fix a cloud security configuration would be helpful because the relevant documentation to do so is publicly available and easily found, and the AI can follow the simple instructions.

However, fixing most code vulnerabilities requires acting on a unique set of circumstances and details, introducing a more complex scenario for the AI to navigate. The AI might provide a "fix," but without verification, it should not be trusted. Generative AI, by definition, can't create something that is not already known, and it can experience hallucinations that result in fake outputs.

In a recent example, a lawyer is facing serious consequences after using ChatGPT to help write court filings that cited six nonexistent cases the AI tool invented. If AI were to hallucinate methods that do not exist and then apply those methods to writing code, it would result in wasted time on a "fix" that can't be compiled. Additionally, according to OpenAI's GPT-4 whitepaper, new exploits, jailbreaks, and emergent behaviors will be discovered over time and be difficult to prevent. So careful consideration is required to ensure AI security tools and third-party solutions are vetted and regularly updated to ensure they do not become unintended backdoors into the system.

**To Trust or Not to Trust?**

It's an interesting dynamic to see the rapid adoption of generative AI play out at the height of the zero-trust movement. The majority of cybersecurity tools are built on the idea that organizations should never trust, always verify. Generative AI is built on the principle of inherent trust in the information made available to it by known and unknown sources. This clash in principles seems like a fitting metaphor for the persistent struggle organizations face in finding the right balance between security and productivity, which feels particularly exacerbated at this moment.

While generative AI might not yet be the holy grail DevSecOps teams were hoping for, it will help to make incremental progress in reducing vulnerability backlogs. For now, it can be applied to make simple fixes. For more complex fixes, they'll need to adopt a verify-to-trust methodology that harnesses the power of AI guided by the knowledge of the developers who wrote and own the code.

Can Generative AI Be Trusted to Fix Your Code?

Zoho ManageEngine ADAudit Plus before 7100 allows XSS via the username field.

*   How do I find out my Build number?
*   1 Log in to the **ADAudit Plus web console**, and click **License** in the top pane.
*   2 You will find the build number mentioned below the product version. This is the current build number of ADAudit Plus.
    

Vulnerability details

Severity

Medium

CVE ID

CVE-2023-37308

Affected software versions

Builds 7091 and below \[How to find your build number?\]

Fixed version

Build 7100

Fixed on

December 28, 2022

**Details**

CVE-2023-37308 refers to a XSS vulnerability in username field reported in ManageEngine ADAudit Plus that made it possible for users to inject malicious JavaScript into the username field of the product.

We have released ADAudit Plus build 7100, that fixes the issue by sanitizing the XSS payload.

**Impact**

The vulnerability in ADAudit Plus allows users to inject malicious JavaScript into the username section of certain reports within the product. When the reports are loaded, the injected script will be executed. This type of vulnerability poses a significant risk potentially leading to data exfiltration, system compromise, or other malicious activities.

**Steps to upgrade**

Upgrade your ADAudit Plus instance to the latest build 7100, using the service pack.

**Acknowledgements**

This issue was reported by Ryan through the Zoho BugBounty program.

If you have any questions or need assistance, please get in touch with support@adauditplus.com.

Tag

#java