#js

ERPNext in versions v12.0.9-v13.0.3 are affected by a stored XSS vulnerability that allows low privileged users to store malicious scripts in the ‘username’ field in ‘my settings’ which can lead to full account takeover.

A vulnerability, which was classified as critical, was found in JUNG Smart Visu Server 1.0.804/1.0.830/1.0.832. Affected is an unknown function of the component SSH Server. The manipulation leads to backdoor. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. Upgrading to version 1.0.900 is able to address this issue. It is recommended to upgrade the affected component.

An update is now available for Red Hat OpenShift GitOps 1.5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31016: argocd: vulnerable to an uncontrolled memory consumption bug * CVE-2022-31034: argocd: vulnerable to a variety of attacks when an SSO login is initiated from the Argo CD CLI or the UI. * CVE-2022-31035: argocd: cross-site scripting (XSS) allow a malicious user to inject a javascript link in the UI * CVE-2022-31036: argocd: vulnerable to a symlink followin...

Data Processing and Infrastructure Processing Units – DPU and IPU – are changing the way enterprises deploy and manage compute resources across their networks.

### Impact All versions of Argo CD starting with v0.7.0 are vulnerable to an uncontrolled memory consumption bug, allowing an authorized malicious user to crash the [repo-server](https://argo-cd.readthedocs.io/en/stable/operator-manual/architecture/#repository-server) service. The repo-server is a critical component of Argo CD, so crashing the repo-server effectively denies core Argo CD services (such as syncing Application updates). To achieve denial of service, the attacker must be an authenticated Argo CD user authorized to deploy Applications from a repository which contains (or can be made to contain) a large file. ### Patches A patch for this vulnerability has been released in the following Argo CD versions: * v2.4.1 * v2.3.5 * v2.2.10 * v2.1.16 **The patch introduces a new `reposerver.max.combined.directory.manifests.size` config parameter, which you should tune before upgrading in production.** It caps the maximum total file size of .yaml/.yml/.json files in directory-ty...

### Impact An attacker can send a request to an app using NextAuth.js with an invalid `callbackUrl` query parameter, which internally we convert to a `URL` object. The URL instantiation would fail due to a malformed URL being passed into the constructor, causing it to throw an unhandled error which led to our **API route handler timing out and logging in to fail**. This has been remedied in the following releases: next-auth v3 users before version 3.29.5 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4)) next-auth v4 users before version 4.5.0 are impacted. ### Patches We've released patches for this vulnerability in: - v3 - `3.29.5` - v4 - `4.5.0` You can do: ```sh npm i next-auth@latest ``` or ```sh yarn add next-auth@latest ``` or ```sh pnpm add next-auth@latest ``` (This will update to the latest v4 version, but you can change `latest` to `3` if you want to st...

The GeoAnalytics feature in Qlik Sense April 2020 patch 4 allows SSRF.

Threat actors associated with Russian intelligence are using the fear or nuclear war to spread data-stealing malware in Ukraine. The post Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine appeared first on Malwarebytes Labs.

IdeaLMS 2022 allows reflected Cross Site Scripting (XSS) via the IdeaLMS/Class/Assessment/ PATH_INFO.

Webkul krayin crm before 1.2.2 is vulnerable to Cross Site Scripting (XSS).