Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2023-1760: fix: added missing conversion to HTML entities · thorsten/phpMyFAQ@56295b5

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE
Open in Source
#xss#git#php
CVE-2023-1755: huntr – Security Bounties for any GitHub repository

Cross-site Scripting (XSS) - Generic in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

CVE-2023-1746

A vulnerability, which was classified as problematic, was found in Dreamer CMS up to 3.5.0. Affected is an unknown function of the component File Upload Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. VDB-224634 is the identifier assigned to this vulnerability.

CVE-2023-1743

A vulnerability classified as problematic has been found in SourceCodester Grade Point Average GPA Calculator 1.0. This affects an unknown part of the file index.php. The manipulation of the argument page leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-224631.

GHSA-2wcr-87wf-cf9j: Kiwi TCMS Stored Cross-site Scripting via SVG file

### Impact Kiwi TCMS accepts SVG files uploaded by users which could potentially contain JavaScript code. If SVG images are viewed directly, i.e. not rendered in an HTML page, this JavaScript code could execute. ### Patches This vulnerability has been fixed by configuring Kiwi TCMS to serve with the Content-Security-Policy HTTP header which blocks inline JavaScript in all modern browsers. ### Workarounds Configure Content-Security-Policy header, see [commit 6617cee0](https://github.com/kiwitcms/Kiwi/commit/6617cee0fb70cc394b7be6bbc86ef84e6e9de077). ### References You can visit https://digi.ninja/blog/svg_xss.php for more technical details. Independently disclosed by [Antonio Spataro](https://huntr.dev/bounties/bf99001b-a0a2-4f7d-98cd-983bc7f14a69/) and [@1d8](https://huntr.dev/bounties/f8c73bcc-02f3-4c65-a92b-1caa4d67c2fd/).

CVE-2023-26692: GitHub - bigzooooz/CVE-2023-26692: ZCBS/ZBBS/ZPBS v4.14k - Reflected XSS

ZCBS Zijper Collectie Beheer Systeem (ZCBS), Zijper Publication Management System (ZPBS), and Zijper Image Bank Management System (ZBBS) 4.14k is vulnerable to Cross Site Scripting (XSS).

Sielco Radio Link 2.06 Cross-Site Request Forgery (Add Admin)

The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.

Microsoft Patches 'Dangerous' RCE Flaw in Azure Cloud Service

The vulnerability would have allowed an unauthenticated attacker to execute code on a container hosted on one of the platform's nodes.

Vulnerability Enabled Bing.com Takeover, Search Result Manipulation

By Habiba Rashid Cybersecurity researchers at Wiz reported the vulnerability to Microsoft and dubbed the attack "BingBang". This is a post from HackRead.com Read the original post: Vulnerability Enabled Bing.com Takeover, Search Result Manipulation

Eve-ng 5.0.1-13 Cross Site Scripting

Eve-ng version 5.0.1-13 suffers from a cross site scripting vulnerability.