Security
Headlines
HeadlinesLatestCVEs

Tag

#web

CVE-2023-46746: SSRF vulnerability for logged in users

PostHog provides open-source product analytics, session recording, feature flagging and A/B testing that you can self-host. A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog. Posthog did not verify whether a URL was local when enabling webhooks, allowing authenticated users to forge a POST request. This vulnerability has been addressed in `22bd5942` and will be included in subsequent releases. There are no known workarounds for this vulnerability.

CVE
Open in Source
#vulnerability#web#git#ssrf#auth#docker
CVE-2023-42022: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-42022)

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 265938.

CVE-2023-42009

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 265504.

CVE-2023-46174: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-46174)

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 269506.

CVE-2023-38268: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site request forgery (CVE-2023-38268)

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 260585.

CVE-2023-43015: Security Bulletin: IBM InfoSphere Information Server is vulnerable to cross-site scripting (CVE-2023-43015)

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 266064.

GHSA-7vwr-g6pm-9hc8: Cookie leakage between different users in fastapi-proxy-lib

### Impact In the implementation of version `0.0.1`, requests from different user clients are processed using a shared `httpx.AsyncClient`. However, one oversight is that the `httpx.AsyncClient` will persistently store cookies based on the `set-cookie` response header sent by the target server and share these cookies across different user requests. This results in a cookie leakage issue among all user clients sharing the same `httpx.AsyncClient`. ### Patches It's fixed in `0.1.0` ### Workarounds If you insist `0.0.1`: - Do not use `ForwardHttpProxy` at all. - Do not use `ReverseHttpProxy` or `ReverseWebSocketProxy` for any servers that may potentially send a `set-cookie` response. **However, it's best to upgrade to the latest version.** ### References fixed in [#10](https://github.com/WSH032/fastapi-proxy-lib/pull/10)

CVE-2023-48893: Vuln0wned Report: SQL Injection in staff_act.php · Issue #209 · slims/slims9_bulian

Senayan Library Management Systems SLIMS 9 Bulian v9.6.1 is vulnerable to SQL Injection via admin/modules/reporting/customs/staff_act.php.