Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-w766-3572-f2hv: Pimcore Cross-site Scripting (XSS) vulnerability in Admin Translations

### Impact Execute Javascript code on victim browsers and potentially steal cookies to takeover their account. ### Patches Update to version 10.5.21 or apply this patches manually https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/7e32cc28145274ddfc30fb791012d26c1278bd38.patch ### References https://huntr.dev/bounties/e1001870-b8d8-4921-8b9c-bbdfb1a1491e/

ghsa
#xss#vulnerability#git#java
GHSA-6gf5-c898-7rxp: Improper Neutralization of Script in Attributes in XWiki (X)HTML renderers

### Impact HTML rendering didn't check for dangerous attributes/attribute values. This allowed cross-site scripting (XSS) attacks via attributes and link URLs, e.g., supported in XWiki syntax. ### Patches This has been patched in XWiki 14.6 RC1. ### Workarounds There are no known workarounds apart from upgrading to a fixed version. ### References * https://github.com/xwiki/xwiki-rendering/commit/c40e2f5f9482ec6c3e71dbf1fff5ba8a5e44cdc1 * https://jira.xwiki.org/browse/XRENDERING-663 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-mhpj-7m7h-8p6x: Pimcore Cross-site Scripting (XSS) in Static Routes name field

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.21 or apply this patch manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/07a2c95be524c7e20105cef58c5767d4ebb06091.patch ### References https://huntr.dev/bounties/564cb512-2bcc-4458-8c20-88110ab45801/

CVE-2023-30394: GitHub - ros-planning/moveit: The MoveIt motion planning framework

Progress Ipswitch MoveIT 1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

CVE-2023-30394: | The MoveIt® Companies

MoveIT v1.1.11 was discovered to contain a cross-site scripting (XSS) vulenrability via the API authentication function.

CVE-2023-29031: ArmorStart® ST 281E, 284EE Vulnerable to Multiple XSS Vulnerabilities

A cross site scripting vulnerability was discovered in Rockwell Automation's ArmorStart ST product that could potentially allow a malicious user to view and modify sensitive data or make the web page unavailable. User interaction, such as a phishing attack, is required for successful exploitation of this vulnerability.

CVE-2023-25309: Rollout::UI 0.5 Cross Site Scripting ≈ Packet Storm

Cross Site Scripting (XSS) Vulnerability in Fetlife rollout-ui version 0.5, allows attackers to execute arbitrary code via a crafted url to the delete a feature functionality.

HouseKit 1.0 Cross Site Scripting

HouseKit version 1.0 suffers from a cross site scripting vulnerability.

CVE-2023-22720: WordPress WP Links Page plugin <= 4.9.3 - Cross Site Scripting (XSS) vulnerability - Patchstack

Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Robert Macchi WP Links Page plugin <= 4.9.3 versions.

CVE-2023-2659: CVEproject/Online-Computer-and-Laptop-Store---Multiple-vulnerabilities.md at main · xiahao90/CVEproject

A vulnerability, which was classified as critical, was found in SourceCodester Online Computer and Laptop Store 1.0. This affects an unknown part of the file view_product.php. The manipulation of the argument id leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228801 was assigned to this vulnerability.