Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-6790: CVE-2023-6790 PAN-OS: DOM-Based Cross-Site Scripting (XSS) Vulnerability in the Web Interface

A DOM-Based cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to execute a JavaScript payload in the context of an administrator’s browser when they view a specifically crafted link to the PAN-OS web interface.

CVE
#xss#vulnerability#web#js#java
CVE-2023-6767

A vulnerability, which was classified as problematic, was found in SourceCodester Wedding Guest e-Book 1.0. This affects an unknown part of the file /endpoint/add-guest.php. The manipulation of the argument name leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-247899.

GHSA-wgrw-fj3v-fhc5: Cross-site Scripting in silverpeas

Silverpeas Core 6.3.1 and prior are vulnerable to Cross Site Scripting (XSS) via the message/notification feature.

Apple Security Advisory 11-30-2023-2

Apple Security Advisory 11-30-2023-2 - iOS 17.1.2 and iPadOS 17.1.2 addresses code execution and out of bounds read vulnerabilities.

GHSA-6mjg-37cp-42x5: Improper Privilege Management in sap-xssec

### Impact SAP BTP Security Services Integration Library ([Python] sap-xssec) allows under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application. ### Patches Upgrade to patched version >= 4.1.0 We always recommend to upgrade to the latest released version. ### Workarounds No workarounds ### References https://www.cve.org/CVERecord?id=CVE-2023-50423

GHSA-6xmx-85x3-4cv2: Stored XSS via SVG File Upload

#### Impact A user with access to the backoffice can upload SVG files that include scripts. If the user can trick another user to load the media directly in a browser, the scripts can be executed. #### Workaround Implement the server side file validation https://docs.umbraco.com/umbraco-cms/reference/security/serverside-file-validation or Serve all media from an different host (e.g cdn) that where umbraco is hosted

GHSA-v98m-398x-269r: DOM-XSS on Backoffice login screen.

#### Impact Cross-site scripting (XSS) enable attackers to bring malicious content into a website or application.

CVE-2023-6380: Multiple vulnerabilities in Alkacon Software OpenCms

Open redirect vulnerability has been found in the Open CMS product affecting versions 14 and 15 of the 'Mercury' template. An attacker could create a specially crafted URL and send it to a specific user to redirect them to a malicious site and compromise them. Exploitation of this vulnerability is possible due to the fact that there is no proper sanitization of the 'URI' parameter.

CVE-2023-6718: Multiple vulnerabilities in Repox

An authentication bypass vulnerability has been found in Repox, which allows a remote user to send a specially crafted POST request, due to the lack of any authentication method, resulting in the alteration or creation of users.

CVE-2022-27488: Fortiguard

A cross-site request forgery (CSRF) in Fortinet FortiVoiceEnterprise version 6.4.x, 6.0.x, FortiSwitch version 7.0.0 through 7.0.4, 6.4.0 through 6.4.10, 6.2.0 through 6.2.7, 6.0.x, FortiMail version 7.0.0 through 7.0.3, 6.4.0 through 6.4.6, 6.2.x, 6.0.x FortiRecorder version 6.4.0 through 6.4.2, 6.0.x, 2.7.x, 2.6.x, FortiNDR version 1.x.x allows a remote unauthenticated attacker to execute commands on the CLI via tricking an authenticated administrator to execute malicious GET requests.