Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-q4qh-8pxw-r48q: Subrion CMS vulnerable to Cross Site Scripting

Subrion CMS 4.2.1 is vulnerable to Cross Site Scripting (XSS) via adminer.php.

ghsa
#xss#vulnerability#git#intel#php
Hospital Management System 1.0 Cross Site Scripting

Hospital Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges. Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1. "This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user

GHSA-63h4-w25c-3qv4: Kirby vulnerable to Cross-site scripting (XSS) in the link field "Custom" type

### TL;DR This vulnerability affects Kirby sites that use the new [link field](https://getkirby.com/docs/reference/panel/fields/link) and output the entered link without additional validation or sanitization. The attack commonly requires user interaction by another user or visitor. The link dialog of the writer field is *not* affected as the writer field content is automatically sanitized by the Kirby backend code. You are also already protected if you limit the acceptable link types with the `options` field property. ---- ### Introduction Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Such vulnerabilities are critical if you might have potential attackers in your group of authenticated Panel users. They can escalate their privileges if they get access to t...

GHSA-57f2-8p89-66x6: Kirby vulnerable to self cross-site scripting (self-XSS) in the URL field

### TL;DR This vulnerability affects Kirby sites that use the [URL field](https://getkirby.com/docs/reference/panel/fields/url) in any blueprint. A successful attack commonly requires knowledge of the content structure by the attacker as well as social engineering of a user with access to the Panel. The attack *cannot* be automated. The vulnerability is also limited to self-XSS and *cannot* directly affect other users or visitors of the site. ---- ### Introduction Cross-site scripting (XSS) is a type of vulnerability that allows to execute any kind of JavaScript code inside the Panel session of the same or other users. In the Panel, a harmful script can for example trigger requests to Kirby's API with the permissions of the victim. Self cross-site scripting (self-XSS, also called reflected XSS) typically involves a user inadvertently executing malicious code within their own context, often through social engineering techniques. This can occur when a user is tricked into pasting ...

GHSA-xrvh-rvc4-5m43: Kirby vulnerable to unrestricted file upload of user avatar images

### TL;DR This vulnerability affects all Kirby sites that might have potential attackers in the group of authenticated Panel users. The attack requires user interaction by another user or visitor and *cannot* be automated. ---- ### Introduction Unrestricted upload of files with a dangerous type is a type of vulnerability that allows to circumvent expectations and protections in the server setup or backend code. Uploaded files are not checked for their compliance with the intended purpose of the upload target, which can introduce secondary attack vectors. While the vulnerability described here does *not* allow critical attacks like remote code execution (RCE), it can still be abused to upload unexpected file types that could for example make it possible to perform cross-site scripting (XSS) attacks. ### Impact Users with Panel access can upload a user avatar in their own account view. This avatar is intended to be an image, however the file type or file extension was not validat...

Ubuntu Security Notice USN-6654-1

Ubuntu Security Notice 6654-1 - It was discovered that Roundcube Webmail incorrectly sanitized characters in the linkrefs text messages. An attacker could possibly use this issue to execute a cross-site scripting attack.

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

The FBI's takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county's ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

Authorities Claim LockBit Admin "LockBitSupp" Has Engaged with Law Enforcement

LockBitSupp, the individual(s) behind the persona representing the LockBit ransomware service on cybercrime forums such as Exploit and XSS, "has engaged with law enforcement," authorities said. The development comes following the takedown of the prolific ransomware-as-a-service (RaaS) operation as part of a coordinated international operation codenamed Cronos. Over 14,000 rogue

GHSA-6749-m5cp-6cg7: Cross-site Scripting in MLFlow

Insufficient sanitization in MLflow leads to XSS when running an untrusted recipe. This issue leads to a client-side RCE when running an untrusted recipe in Jupyter Notebook. The vulnerability stems from lack of sanitization over template variables.