Cross-site Scripting (XSS) - Reflected in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

Expand Up

@@ -5,7 +5,7 @@

</head\>

<body\>

<rapi-doc

spec-url\="<?=$openApiUrl?>"

spec-url\="<?=$this\->escape($openApiUrl)?>"

show-header\="false"

show-info\="false"

render-style\="read"

Expand All

@@ -14,12 +14,12 @@

<?php if($apiKey): ?>

api-key-name = "api-key"

api-key-location = "header"

api-key-value = "<?=$apiKey?>"

api-key-value = "<?=$this\->escape($apiKey)?>"

<?php endif ?>

  

bg-color\="<?=($bgColor ? $bgColor : '#10131a')?>"

text-color\="<?=($textColor ? $textColor : '#fafafa')?>"

primary-color\="<?=($primaryColor ? $primaryColor : '#0e8fff')?>"

bg-color\="<?=$this\->escape($bgColor ? $bgColor : '#10131a')?>"

text-color\="<?= $this\->escape($textColor ? $textColor : '#fafafa')?>"

primary-color\="<?= $this\->escape($primaryColor ? $primaryColor : '#0e8fff')?>"

\></rapi-doc\>

  

<script type\="module" src\="<?=$this\->base('system:assets/vendor/rapidoc.js')?>"\></script\>

Expand Down

CVE-2023-4432: Fix possible Cross-site Scripting (XSS) in Rest/GraphQL viewer · Cockpit-HQ/Cockpit@2a93d39

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.4.

CVE-2023-4433

Apache NiFi 1.21.0 through 1.23.0 support JDBC and JNDI JMS access in several Processors and Controller Services with connection URL validation that does not provide sufficient protection against crafted inputs. An authenticated and authorized user can bypass connection URL validation using custom input formatting. The resolution enhances connection URL validation and introduces validation for additional related properties. Upgrading to Apache NiFi 1.23.1 is the recommended mitigation.


CVE-2023-40037: Apache NiFi Security Reports

Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3.

**Cockpit Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published Aug 18, 2023 to the GitHub Advisory Database • Updated Aug 18, 2023

GHSA-8m65-qq6g-43rr: Cockpit Cross-site Scripting vulnerability

Expand Up @@ -58,16 +58,18 @@ $files = $param; }  
$finfo = finfo\_open(FILEINFO\_MIME\_TYPE); $uploaded = \[\]; $failed = \[\]; $\_files = \[\]; $\_files \= \[\]; $assets = \[\];  
$allowed = $this\->app\->retrieve('assets/allowed\_uploads', '\*'); $allowed = $allowed == '\*' ? true : str\_replace(\[' ', ','\], \['', '|'\], preg\_quote(is\_array($allowed) ? implode(',', $allowed) : $allowed)); $max\_size = $this\->app\->retrieve('assets/max\_upload\_size', 0);  
$forbidden = \['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'\]; $forbiddenExtension = \['php', 'phar', 'phtml', 'phps', 'htm', 'html', 'htaccess'\]; $forbiddenMime = \['application/x-httpd-php', 'text/html'\];  
if (isset($files\['name'\]) && is\_array($files\['name'\])) {  
Expand All @@ -76,11 +78,15 @@ for ($i = 0; $i < $cnt; $i++) {  
$\_file = $this\->app\->path('#tmp:').'/'.$files\['name'\]\[$i\]; $\_mime = finfo\_file($finfo, $\_file); $\_isAllowed = $allowed === true ? true : preg\_match("/\\.({$allowed})$/i", $\_file); $\_sizeAllowed = $max\_size ? filesize($files\['tmp\_name'\]\[$i\]) < $max\_size : true;  
// prevent uploading php files if ($\_isAllowed && in\_array(strtolower(pathinfo($\_file, PATHINFO\_EXTENSION)), $forbidden)) { // prevent uploading php / html files if ($\_isAllowed && ( in\_array(strtolower(pathinfo($\_file, PATHINFO\_EXTENSION)), $forbiddenExtension) || in\_array(strtolower($\_mime), $forbiddenMime) )) { $\_isAllowed = false; }  
Expand Down

CVE-2023-4422: make assets uploading more secure · Cockpit-HQ/Cockpit@b8dad5e

CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-38910: CVE/CVE-2023- at main · desencrypt/CVE

A Cross-Site Scripting (XSS) vulnerability in CSZ CMS 1.3.0 allows attackers to execute arbitrary code via a crafted payload to the Gallery parameter in the YouTube URL fields.

CVE-2023-38911: CVE/CVE-2023-1 at main · desencrypt/CVE

CVE-2023-38910: CVE/CVE-2023-38910/Readme.md at main · desencrypt/CVE

CVE-2023-38911: CVE/CVE-2023-38911/Readme.md at main · desencrypt/CVE

Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in Spiffy Plugins Spiffy Calendar plugin <= 4.9.3 versions.

**Solution**

 Fixed

Update the WordPress Spiffy Calendar plugin to the latest available version (at least 4.9.4).

LEE SE HYOUNG (hackintoanetwork) discovered and reported this Cross Site Scripting (XSS) vulnerability in WordPress Spiffy Calendar Plugin. This could allow a malicious actor to inject malicious scripts, such as redirects, advertisements, and other HTML payloads into your website which will be executed when guests visit your site. This vulnerability has been fixed in version 4.9.4.

**Other vulnerabilities in this plugin**

 0 present

 7 patched

View all

**WordPress plugin developer?**

Start a free security program for your WordPress plugins or request an audit.

Apply for MVDP

**Security researcher?**

Report to Patchstack Alliance bounty platform and earn monthly cash prizes.

Learn more

Tag

#xss