Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

CVE-2022-25227: Proton v0.2.0 - XSS To RCE | Fluid Attacks

Thinfinity VNC v4.0.0.1 contains a Cross-Origin Resource Sharing (CORS) vulnerability which can allow an unprivileged remote attacker, if they can trick a user into browse malicious site, to obtain an 'ID' that can be used to send websocket requests and achieve RCE.

CVE
Open in Source
#xss#vulnerability#web#windows#nodejs#js#git#java#rce
CVE-2022-25229: Popcorn Time 0.4.7 - XSS to RCE | Fluid Attacks

Popcorn Time 0.4.7 has a Stored XSS in the 'Movies API Server(s)'' field via the 'settings' page. The 'nodeIntegration' configuration is set to on which allows the webpage to use 'NodeJs' features, an attacker can leverage this to run OS commands.

CVE-2022-1806: Reflected XSS in rtx

Cross-site Scripting (XSS) - Reflected in GitHub repository rtxteam/rtx prior to checkpoint_2022-05-18.

CVE-2022-28985: Stored XSS in "Update Status" section under "OrangeBuzz" via the GET/POST parameters `createPost[linkTitle]` and `createPost[linkAddress]` · Issue #1217 · orangehrm/orangehrm

A stored cross-site scripting (XSS) vulnerability in the addNewPost component of OrangeHRM v4.10.1 allows attackers to execute arbitrary web scripts or HTML via a crafted POST request.

CVE-2022-29652: Online Sports Complex Booking System 1.0 Cross Site Scripting ≈ Packet Storm

Online Sports Complex Booking System 1.0 is vulnerable to SQL Injection via /scbs/classes/Users.php?f=save_client.

GHSA-6j22-wv8g-894f: Potential Cross-site Scripting vulnerability in Hydrogen

### Impact There is a potential Cross-Site Scripting (XSS) vulnerability where an arbitrary user is able to execute scripts on pages that are built with Hydrogen. This affects all versions of Hydrogen starting from version 0.10.0 to 0.18.0. This vulnerability is exploitable in applications whose hydrating data is user controlled. ### Patches All Hydrogen users should upgrade their project to v0.19.0. ### Workarounds There is no current workaround, and users should update as soon as possible. Additionally, the Content Security Policy is not an effective mitigation for this vulnerability. ### References GitHub: [Hydrogen v0.19.0](https://github.com/Shopify/hydrogen/releases/tag/%40shopify/hydrogen%400.19.0) Fix PR: https://github.com/Shopify/hydrogen/pull/1272 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Shopify/hydrogen](https://github.com/Shopify/hydrogen/issues/new/choose)

CVE-2022-29449: WordPress Opal Hotel Room Booking plugin <= 1.2.7 - Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Opal Hotel Room Booking plugin <= 1.2.7 at WordPress.

LiquidFiles 3.4.15 Cross Site Scripting

LiquidFiles version 3.4.15 suffers from a cross site scripting vulnerability.

PHPIPAM 1.4.4 Cross Site Request Forgery / Cross Site Scripting

PHPIPAM version 1.4.4 suffers from cross site request forgery and cross site scripting vulnerabilities.

Red Hat Security Advisory 2022-4623-01

Red Hat Security Advisory 2022-4623-01 - This release of Red Hat build of Quarkus 2.7.5 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section. Issues addressed include HTTP request smuggling, cross site scripting, denial of service, information leakage, and privilege escalation vulnerabilities.