#js

Red Hat Security Advisory 2024-2815-03 - An update is now available for Red Hat OpenShift GitOps v1.11.4 for Argo CD UI and Console Plugin. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section.

### Impact There is a possibility to save XSS code in province field in the Checkout and Address Book and then execute it on these pages. The problem occurs when you open the address step page in the checkout or edit the address in the address book. This only affects the base UI Shop provided by Sylius. ### Patches The issue is fixed in versions: 1.12.16, 1.13.1 and above. ### Workarounds 1. Create new file `assets/shop/sylius-province-field.js`: ```js // assets/shop/sylius-province-field.js function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts } const getProvinceInputValue = function getProvinceInputValue(valueSelector) { return valueSelector == undefined ? '' : `value="${sanitizeInput(valueSelector)}"`; }; $.fn.extend({ provinceField() { const countrySelect = $('select[name$="[countryCode]"]'); countrySelect.on('change', (event) ...

### Impact There is a possibility to execute javascript code in the Admin panel. In order to perform an XSS attack input a script into `Name` field in which of the resources: Taxons, Products, Product Options or Product Variants. The code will be executed while using an autocomplete field with one of the listed entities in the Admin Panel. Also for the taxons in the category tree on the product form. ### Patches The issue is fixed in versions: 1.12.16, 1.13.1 and above. ### Workarounds 1. Create new file `assets/admin/sylius-lazy-choice-tree.js`: ```js // assets/admin/sylius-lazy-choice-tree.js function sanitizeInput(input) { const div = document.createElement('div'); div.textContent = input; return div.innerHTML; // Converts text content to plain HTML, stripping any scripts } const createRootContainer = function createRootContainer() { return $('<div class="ui list"></div>'); }; const createLeafContainerElement = function createLeafContainerElement() { return $('<di...

Red Hat Security Advisory 2024-2799-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-2793-03 - An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-2705-03 - An update is now available for Red Hat build of Quarkus.

### Description: A Stored Blind Cross-Site Scripting (XSS) vulnerability has been identified in the Failed Login Attempts Logging Feature of the Froxlor Application. Stored Blind XSS occurs when user input is not properly sanitized and is stored on the server, allowing an attacker to inject malicious scripts that will be executed when other users access the affected page. In this case, an unauthenticated User can inject malicious scripts in the loginname parameter on the Login attempt, which will then be executed when viewed by the Administrator in the System Logs. The application protects users against XSS attacks by utilizing an xss sanitization library. But the checks of the library were bypassed by crafting an XSS Payload using data binding and interpolation of Vue.js A working XSS payload was crafted which forces an administrator to add a new malicious attacker-controlled Administrator User. The Payload is: [payload.txt](https://github.com/froxlor/Froxlor/files/15142616/payload...

Red Hat Security Advisory 2024-2672-03 - Red Hat OpenShift Container Platform release 4.14.24 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution and denial of service vulnerabilities.

Red Hat Security Advisory 2024-2671-03 - Red Hat build of MicroShift release 4.14.24 is now available with updates to packages and images that fix several bugs. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-2669-03 - Red Hat OpenShift Container Platform release 4.15.12 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a code execution vulnerability.