Security
Headlines
HeadlinesLatestCVEs

Tag

#microsoft

GHSA-r4f8-f93x-5qh3: TYPO3 is vulnerable to Cross-Site Scripting via frontend rendering

> ### CVSS: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:L/E:F/RL:O/RC:C` (8.2) ### Problem TYPO3 core component `GeneralUtility::getIndpEnv()` uses the unfiltered server environment variable `PATH_INFO`, which allows attackers to inject malicious content. In combination with the TypoScript setting [`config.absRefPrefix=auto`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php#L2547-L2549), attackers can inject malicious HTML code into pages that have not yet been rendered and cached. As a result, injected values would be cached and delivered to other website visitors (persisted cross-site scripting). Individual code which relies on the resolved value of [`GeneralUtility::getIndpEnv('SCRIPT_NAME')`](https://github.com/TYPO3/typo3/blob/v11.5.22/typo3/sysext/core/Classes/Utility/GeneralUtility.php#L2481-L2484) and corresponding usages (as shown below) are vulnerable as well. - `GeneralUtility::getIndpEnv('PATH_INFO') ...

ghsa
Open in Source
#xss#vulnerability#web#ios#microsoft#apache#git#php#nginx
CVE-2023-25396: Advanced Installer 20.1 - Release Notes

Privilege escalation in the MSI repair functionality in Caphyon Advanced Installer 20.0 and below allows attackers to access and manipulate system files.

New MSRC Blog Site

We are excited to announce the release of the new Microsoft Security Response Center (MSRC) blog site. Please visit msrc.microsoft.com/blog/starting February 9th, 2023, for all past and future MSRC blog content.  In addition to the new URL, we have refreshed the site with a new look and improved site performance, search, categories, and tags to … New MSRC Blog Site Read More »

CVE-2023-0748: Fix a bunch of open redirect · btcpayserver/btcpayserver@c2cfa17

Open Redirect in GitHub repository btcpayserver/btcpayserver prior to 1.7.6.

Why ChatGPT Isn't a Death Sentence for Cyber Defenders

Generative AI combined with user awareness training creates a security alliance that can let organizations work protected from ChatGPT.

How to Optimize Your Cyber Insurance Coverage

From prevention and detection processes to how you handle policy information, having strong cyber insurance coverage can help mitigate cybersecurity attacks.

Why Some Cloud Services Vulnerabilities Are So Hard to Fix

Five months after AWS customers were alerted about three vulnerabilities, nearly none had plugged the holes. The reasons why underline a need for change.

New MSRC Blog Site

We are excited to announce the release of the new Microsoft Security Response Center (MSRC) blog site. Please visit msrc.microsoft.com/blog/ starting February 9th, 2023, for all past and future MSRC blog content. In addition to the new URL, we have refreshed the site with a new look and improved site performance, search, categories, and tags to help users easily find content.

New MSRC Blog Site

We are excited to announce the release of the new Microsoft Security Response Center (MSRC) blog site. Please visit msrc.microsoft.com/blog/ starting February 9th, 2023, for all past and future MSRC blog content. In addition to the new URL, we have refreshed the site with a new look and improved site performance, search, categories, and tags to help users easily find content.