Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

GHSA-xvcp-33rc-j8gq: Insecure Unserialize in TYPO3 Import/Export

Failing to properly validate incoming import data, the Import/Export component is susceptible to insecure unserialize. To exploit this vulnerability a valid backend user account is needed.

ghsa
Open in Source
#vulnerability#git#perl
GHSA-86r8-4g3w-7xjp: Cross-Site Scripting in TYPO3 Backend

Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

GHSA-v5jp-4h2p-j2p4: Privilege Escalation in TYPO3 CMS

The workspace/ version preview link created by a privileged (backend) user could be abused to obtain certain editing permission, if the admin panel is configured to be shown. A valid preview link is required to exploit this vulnerability.

GHSA-5wx6-xwxf-q8qj: Cross-Site Scripting in TYPO3 Backend

Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

GHSA-4m3g-6r7g-jv4f: Arbitrary JavaScript execution due to using outdated libraries

### Summary gradio-pdf projects with dependencies on the pdf.js library are vulnerable to CVE-2024-4367, which allows arbitrary JavaScript execution. ### PoC 1. Generate a pdf file with a malicious script in the fontmatrix. (This will run `alert(‘XSS’)`.) [poc.pdf](https://github.com/user-attachments/files/15516798/poc.pdf) 2. Run the app. In this PoC, I've used the demo for a simple proof. ![1](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/d1bb7626-3d0f-4984-8873-297658d6e77e) 3. Upload a PDF file containing the script. ![2](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/803d8080-c946-446e-bb34-cf5640e1b4de) 4. Check that the script is running. ![3](https://github.com/freddyaboulton/gradio-pdf/assets/114328108/4956b95f-acca-4bb1-a3c2-7dfc96adf890) ### Impact Malicious scripts can be injected into the code, and when linked with vulnerabilities such as CSRF, it can cause even greater damage. In particular, It can become a source of further attacks, e...

GHSA-rhc2-23c2-ww7c: Remote code execution in web server context

### Impact User with administrative privileges and upload files that look like images but contain PHP code which can then be executed in the context of the web server.

GHSA-jmh9-6rjq-gjh9: Vulnerable embedded jQuery Version

### Summary PIMCore uses the JavaScript library jQuery in version 3.4.1. This version is vulnerable to cross-site-scripting (XSS). ### Details In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0. Publish Date: 2020-04-29 URL:= https://security.snyk.io/package/npm/jquery/3.4.1

Hackers Leak 221,470 Users’ Data in “Tech in Asia” News Outlet Breach

A data breach at Tech in Asia has exposed the personal information of 221,470 users. Learn more about…

Big name TikTok accounts hijacked after opening DM

High profile TikTok accounts have been targeted in a recent attack.

Zyxel Releases Patches for Firmware Vulnerabilities in EoL NAS Models

Zyxel has released security updates to address critical flaws impacting two of its network-attached storage (NAS) devices that have currently reached end-of-life (EoL) status. Successful exploitation of three of the five vulnerabilities could permit an unauthenticated attacker to execute operating system (OS) commands and arbitrary code on affected installations. Impacted models include NAS326