Security
Headlines
HeadlinesLatestCVEs

Tag

#php

Senayan Library Management System 9.2.2 Cross Site Scripting

Senayan Library Management System version 9.2.2 suffers from a cross site scripting vulnerability.

Packet Storm
Open in Source
#xss#vulnerability#web#windows#apple#js#git#java#php#auth#chrome#webkit
CVE-2022-47635: Changelogs - Documentation - Confluence

Wildix WMS 6 before 6.02.20221216, WMS 5 before 5.04.20221214, and WMS4 before 4.04.45396.23 allows Server-side request forgery (SSRF) via ZohoClient.php.

CVE-2022-40624: GitHub - dhammon/pfBlockerNg-CVE-2022-40624

pfSense pfBlockerNG through 2.1.4_27 allows remote attackers to execute arbitrary OS commands as root via the HTTP Host header, a different vulnerability than CVE-2022-31814.

CVE-2022-45942: baijiacmsV4 后台RCE | This_is_Y

A Remote Code Execution (RCE) vulnerability was found in includes/baijiacms/common.inc.php in baijiacms v4.

Senayan Library Management System 9.2.1 Cross Site Scripting

Senayan Library Management System version 9.2.1 suffers from a cross site scripting vulnerability.

CVE-2022-23543: Own HTML attributes when attaching a YouTube link to the post

Silverware Games is a social network where people can play games online. Users can attach URLs to YouTube videos, the site will generate related `<iframe>` when the post will be published. The handler has some sort of protection so non-YouTube links can't be posted, as well as HTML tags are being stripped. However, it was still possible to add custom HTML attributes (e.g. `onclick=alert("xss")`) to the `<iframe>'. This issue was fixed in the version `1.1.34` and does not require any extra actions from our members. There has been no evidence that this vulnerability was used by anyone at this time.

CVE-2022-4615: Cross Site Scripting (reflected) on fee_sheet_ajax.php in openemr

Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.

GHSA-cx45-565q-6qx8: Subsite weakens file permissions

The subsites module can weaken edit restrictions on some files and allow a malicious user to edit files they do not have edit rights to. This only affects projects with the subsites module installed. Regression testing should focus on custom file logic. Be advised that this is not a case of a user being able to edit a file in subsites they do not have access to. As a reminder, all separation of content achieved with the subsites module should be viewed as cosmetic and not appropriate for security-critical applications.

CVE-2022-4063

The InPost Gallery WordPress plugin before 2.1.4.1 insecurely uses PHP's extract() function when rendering HTML views, allowing attackers to force the inclusion of malicious files & URLs, which may enable them to run code on servers.

CVE-2021-4262: preventing sql injection by wuwx · Pull Request #72 · mgallegos/laravel-jqgrid

A vulnerability classified as critical was found in laravel-jqgrid. Affected by this vulnerability is the function getRows of the file src/Mgallegos/LaravelJqgrid/Repositories/EloquentRepositoryAbstract.php. The manipulation leads to sql injection. The name of the patch is fbc2d94f43d0dc772767a5bdb2681133036f935e. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-216271.