Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-34657: EyouCMS v1.6.2 has stored xss · Issue #43 · weng-xianhu/eyoucms

A stored cross-site scripting (XSS) vulnerability in Eyoucms v1.6.2 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the web_recordnum parameter.

CVE
Open in Source
#xss#vulnerability#web#git
CVE-2023-3311

A vulnerability, which was classified as problematic, was found in SourceCodester Advance Charity Management System 1.0. This affects an unknown part of the file addsuppliers.php. The manipulation of the argument First name leads to cross site scripting. It is possible to initiate the attack remotely. The associated identifier of this vulnerability is VDB-231807.

CVE-2023-3309

A vulnerability classified as problematic was found in SourceCodester Resort Reservation System 1.0. Affected by this vulnerability is an unknown functionality of the file ?page=rooms of the component Manage Room Page. The manipulation of the argument Cottage Number leads to cross site scripting. The attack can be launched remotely. The identifier VDB-231805 was assigned to this vulnerability.

CVE-2023-33438: CVEs/CVE-2023-33438/README.md at main · justas-dee/CVEs

A stored Cross-site scripting (XSS) vulnerability in Wolters Kluwer TeamMate+ 35.0.11.0 allows remote attackers to inject arbitrary web script or HTML.

GHSA-68jh-rf6x-836f: @apollo/server vulnerable to unsafe application of Content Security Policy via reused nonces

### Context Content Security Policies (CSP) are a defense-in-depth strategy against XSS attacks. Improper application of CSP isn't itself a vulnerability, but it does fail to prevent XSS in the event that there is a viable attack vector for an XSS attack. ### Impact There aren't any XSS attack vectors via the Apollo Server landing pages _known to Apollo_, so to our knowledge there is no impact. However, if there are existing XSS vectors that haven't been reported and patched, then all users of Apollo Server's landing pages have a vulnerability which won't be prevented by the current CSP implemented by the landing pages. ### Patches The issue is patched in the latest version of Apollo Server, v4.7.4. ### Workarounds The landing page can be disabled completely until the patch can be upgraded to. https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/#disabling-the-landing-page ### References https://content-security-policy.com/nonce/

CVE-2023-34660: /jeecg-boot/jmreport/upload接口存在未授权任意文件上传 · Issue #4990 · jeecgboot/jeecg-boot

jjeecg-boot V3.5.0 has an unauthorized arbitrary file upload in /jeecg-boot/jmreport/upload interface.

CVE-2023-30223: Packet Storm

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions.

QuickJob Portal 6.1 Cross Site Scripting

QuickJob Portal version 6.1 suffers from a cross site scripting vulnerability.

Quicklancer Freelance Marketplace 2.4 Cross Site Scripting

Quicklancer Freelance Marketplace version 2.4 suffers from a cross site scripting vulnerability.

QuickHomes Real Estate CMS 1.3 Cross Site Scripting

QuickHomes Real Estate CMS version 1.3 suffers from a cross site scripting vulnerability.