Security
Headlines
HeadlinesLatestCVEs

Tag

#php

CVE-2023-1212

Cross-site Scripting (XSS) - Stored in GitHub repository phpipam/phpipam prior to v1.5.2.

CVE
Open in Source
#xss#git#php
CVE-2022-45142: security - [vs] heimdal: CVE-2022-45142: signature validation failure

The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.

CVE-2023-24217: Agilebio Lab Collector 4.234 Remote Code Execution ≈ Packet Storm

AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.

CVE-2023-24737: CVE/PMB at main · AetherBlack/CVE

PMB v7.4.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the query parameter at /admin/convert/export_z3950.php.

CVE-2023-26949: Remote code execution caused by uploading arbitrary files in the background · Issue #1 · keheying/onekeyadmin

An arbitrary file upload vulnerability in the component /admin1/config/update of onekeyadmin v1.3.9 allows attackers to execute arbitrary code via a crafted PHP file.

CVE-2015-10095: Release 1.3.0: New version 1.3 fixing prettyPhoto XSS issue and video rendering · wp-plugins/woo-popup

A vulnerability classified as problematic has been found in woo-popup Plugin up to 1.2.2. This affects an unknown part of the file admin/class-woo-popup-admin.php. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 1.3.0 is able to address this issue. The name of the patch is 7c76ac78f3e16015991b612ff4fa616af4ce9292. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-222327.

CVE-2023-24776: Background offline installation plug-in rce · Issue #7 · funadmin/funadmin

Funadmin v3.2.0 was discovered to contain a remote code execution (RCE) vulnerability via the component \controller\Addon.php.

CVE-2021-35377: The Most Popular Open-Source Contact Center Solution in the World

Cross Site Scripting vulnerability found in VICIdial v2.14-610c and v.2.10-415c allows attackers execute arbitrary code via the /agc/vicidial.php, agc/vicidial-greay.php, and /vicidial/KHOMP_admin.php parameters.

CVE-2023-22481: Sensitive information exposure in the logs of greader API

FreshRSS is a self-hosted RSS feed aggregator. When using the greader API, the provided password is logged in clear in `users/_/log_api.txt` in the case where the authentication fails. The issues occurs in `authorizationToUser()` in `greader.php`. If there is an issue with the request or the credentials, `unauthorized()` or `badRequest()` is called. Both these functions are printing the return of `debugInfo()` in the logs. `debugInfo()` will return the content of the request. By default, this will be saved in `users/_/log_api.txt` and if the const `COPY_LOG_TO_SYSLOG` is true, in syslogs as well. Exploiting this issue requires having access to logs produced by FreshRSS. Using the information from the logs, a malicious individual could get users' API keys (would be displayed if the users fills in a bad username) or passwords.