#php

CakePHP Test Suite version 2.7.0 suffers from a cross site scripting vulnerability.

Aplikasi Sistem Informasi Kelulusan CMS version 1.0.9 suffers from a local file inclusion vulnerability.

AGVirtues Galeria version 2.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

### Impact Servers that passed their keys to the CryptKey constructor as as string instead of a file path will have had that key included in a LogicException message if they did not provide a valid pass phrase for the key where required. ### Patches This issue has been patched so that the provided key is no longer exposed in the exception message in the scenario outlined above. Users should upgrade to version 8.5.3 to receive the patch ### Workarounds We recommend upgrading the oauth2-server to the latest version. If you are unable to upgrade you can avoid this security issue by passing your key as a file instead of a string. ### References [Pull request](https://github.com/thephpleague/oauth2-server/pull/1353) for the applied fix.

Antlers sanitizer cannot effectively sanitize malicious SVG ### Summary The SVG tag does not sanitize malicious SVG. Therefore, an attacker can exploit this vulnerability to perform XSS attacks using SVG, even when using the `sanitize` function. ### Details Regarding the previous discussion mentioned [here](https://github.com/statamic/cms/security/advisories/GHSA-jvw9-rrc5-39g6#advisory-comment-84322), it has been identified that the default blacklist in the **FilesFieldtypeController** (located at this [link](https://github.com/statamic/cms/blob/f806b6b007ddcf066082eef175653c5beaa96d60/src/Http/Controllers/CP/Fieldtypes/FilesFieldtypeController.php#L15)) only blocks certain file extensions such as php, php3, php4, php5, and phtml. This allows a malicious user to upload a manipulated SVG file disguised as a social media icon, potentially triggering an XSS vulnerability. ### PoC Screenshot ![image](https://user-images.githubusercontent.com/17494868/251093022-15f949e9-2014-4069-850b-8...

Categories: Business Tags: solar Tags: monitoring Tags: service Tags: exposed Tags: web Tags: facing Tags: secure Tags: scan Tags: lockdown Tags: update We take a look at reports that 130,000 solar monitoring devices are sitting exposed online. (Read more...) The post Solar monitoring systems exposed: Secure your devices appeared first on Malwarebytes Labs.

A vulnerability, which was classified as problematic, was found in Artesãos SEOTools up to and including version 0.17.1. This affects the function makeTag of the file OpenGraph.php. The manipulation of the argument value leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The name of the patch is ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component.

A vulnerability has been found in Artesãos SEOTools up to and including version 0.17.1. This vulnerability affects the function setTitle of the file SEOMeta.php. The manipulation of the argument title leads to open redirect. Upgrading to version 0.17.2 is able to address this issue. The name of the patch is ca27cd0edf917e0bc805227013859b8b5a1f01fb. It is recommended to upgrade the affected component.

A vulnerability was found in ThinuTech ThinuCMS 1.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file /category.php. The manipulation of the argument cat_id leads to sql injection. The attack may be launched remotely. The identifier of this vulnerability is VDB-233252.

An issue in Zimbra Collaboration ZCS v.8.8.15 and v.9.0 allows an attacker to execute arbitrary code via the sfdc_preauth.jsp component.