Security
Headlines
HeadlinesLatestCVEs

Tag

#web

GHSA-mrw8-5368-phm3: Contao allows admin an account to upload SVG file containing malicious JavaScript

Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.

ghsa
Open in Source
#xss#vulnerability#web#java#auth
GHSA-hxpp-g76m-qhvg: October allows an admin account to upload PDF containing malicious JavaScript

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.

GHSA-3636-hx62-pv26: Zenario allows authenticated admin users to upload PDF files containing malicious code

Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.

GHSA-2cc5-429x-p387: Zenario Cross Site Scripting in the Image library

Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field.

Unix Printing Vulnerabilities Enable Easy DDoS Attacks

All an attacker needs to exploit flaws in the Common Unix Printing System is a few seconds and less than 1 cent in computing costs.

GHSA-4xqv-47rm-37mm: OpenC3 stores passwords in clear text (`GHSL-2024-129`)

### Summary OpenC3 COSMOS stores the password of a user unencrypted in the LocalStorage of a web browser. This makes the user password susceptible to exfiltration via Cross-site scripting (see GHSL-2024-128). Note: This CVE only affects Open Source edition, and not OpenC3 COSMOS Enterprise Edition ### Impact This issue may lead to Information Disclosure. **NOTE:** The complete advisory with much more information is added as [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-4xqv-47rm-37mm#advisory-comment-104905).

GHSA-8jxr-mccc-mwg8: OpenC3 Path Traversal via screen controller (`GHSL-2024-127`)

### Summary A path traversal vulnerability inside of `LocalMode`'s `open_local_file` method allows an authenticated user with adequate permissions to download any `.txt` via the `ScreensController#show` on the web server COSMOS is running on (depending on the file permissions). Note: This CVE affects all OpenC3 COSMOS Editions ### Impact This issue may lead to Information Disclosure. **NOTE:** The complete advisory with much more information is added as [comment](https://github.com/OpenC3/cosmos/security/advisories/GHSA-8jxr-mccc-mwg8#advisory-comment-104903).

Fake Trading Apps Target Victims Globally via Apple App Store and Google Play

A large-scale fraud campaign leveraged fake trading apps published on the Apple App Store and Google Play Store, as well as phishing sites, to defraud victims, per findings from Group-IB. The campaign is part of a consumer investment fraud scheme that's also widely known as pig butchering, in which prospective victims are lured into making investments in cryptocurrency or other financial

Pig Butchering: Fake Trading Apps Target Crypto on Apple, Google Play Stores

Pig Butchering scam targets crypto users with fake trading apps on Apple and Google Play Stores. Disguised as…

SeedDMS 6.0.28 Cross Site Scripting

SeedDMS version 6.0.28 suffers from a persistent cross site scripting vulnerability.