Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via key parameter to the getGoogleExtraConfig task.

**Get to Know MicroStrategy**

Our company vision is intelligence everywhere. Our analytics platform delivers answers, and gets results. Our entire company is committed to your success.

**Pilot Enterprise Analytics**

Quickly deploy consumer-grade BI experiences for every role, on any device, with the platform that provides sub-second response at enterprise scale.

**Make your applications intelligent with Embedded Analytics**

Deliver in-context insights and analysis in any application and on any device. 

**Drive more value with MicroStrategy Cloud    **

Drive digital transformation and scale with confidence.

**Success Stories**

Hear stories from our customers and partners about how they use MicroStrategy to be a more Intelligent Enterprise.

**Featured Customer: Sainsbury's**

Learn how leading UK retailer Sainsbury’s democratized its data to empower every colleague from the store floor to the C-suite, powered by MicroStrategy.

**Featured Customer: Schwarz**

Explore how Schwarz IT enables brands like Lidl and Kaufland to drive global business impact with an enterprise analytics strategy, powered by MicroStrategy.

**Featured Customer: NICE**

Discover how AI-powered innovation and cloud-native technologies help NICE deliver the world’s leading cloud CX platform, with data and analytics visualization from MicroStrategy.

**Find Solutions with MicroStrategy**

Build consumer-grade intelligence applications, empower users with data discovery, and seamlessly push content to employees, partners, and customers in minutes.

01:30

**Overview of the MicroStrategy Platform**

Discover the power of MicroStrategy, the modern, open, enterprise BI platform that delivers intelligence everywhere. Watch this overrview to learn everything you need to know.

36959 views · April 01, 2021

31:41

**Data Storytelling with Dossiers**

Did you know you can easily build no-code analytics applications with MicroStrategy Dossiers? In this session from MicroStrategy World 2022, experts introduced the art of data storytelling.

927 views · February 02, 2022

08:57

**Overview of MicroStrategy Mobile**

Watch the MicroStrategy team review how to integrate context-rich analytics and collaborative workflows with powerful no-code mobile applications. Learn more about traditional mobile applications from the MicroStrategy platform.

3703 views · September 22, 2020

06:27

**Trusted Data for Excel, BI Tools, and Data Science Tools**

Leverage the power of the industry's strongest semantic graph. Watch this to learn how MicroStrategy will help you get the most out of Excel and other BI applications. The tools you love, with data you can trust.

4007 views · September 22, 2020

**HyperIntelligence**

Deploy analytics beyond the analyst by injecting insights and actions into the applications and websites your people use every day.

00:44

**Introduction to HyperIntelligence**

With HyperIntelligence, deliver instant insights into your everyday applications with no code to make informed decisions and take action faster.

25983 views · November 18, 2019

**Embedded Intelligence**

Learn about MicroStrategy's #1 rated platform for Embedded Analytics.

01:00

**Make your Applications Intelligent with Embedded Analytics**

MicroStrategy’s #1-rated Embedded Analytics platform provides faster in-context insights and analysis in any application and on any device. Extend analytics into portals and applications, allowing users to take advantage of actionable insights in their day-to-day workflows.

925 views · October 14, 2021

11:35

**Overview of MicroStrategy Embedded Analytics**

MicroStrategy is the industry leader for application development and embedded analytics. Watch this video to learn more about the functionality related to customization and embedded analytics.

3944 views · May 29, 2020

**Cloud Intelligence**

The fastest, most efficient way to run your Intelligent Enterprise.

03:01

**What to Expect From Your Cloud Migration**

"Learn how you’ll collaborate with our MicroStrategy experts to ensure easy and efficient migration to the cloud—in a matter of weeks with no disruption to your users. "

666 views · June 22, 2021

43:31

**Top Trends: The Future of Cloud Computing**

Explore the top cloud trends on the horizon and learn to leverage robust application and infrastructure security to ensure integrity across a robust suite of analytics applications.

79 views · February 02, 2022

**Resources**

**Partners**

16:23

**Exasol: Turbocharging the BI Stack**

This session showcases how to accelerate time to insights and how to future-proof your MicroStrategy environment by adding Exasol to your data stack.

39 views · February 10, 2022

CVE-2020-22984: Business Intelligence & Analytics Solutions

Cross-Site Scripting (XSS) vulnerability in MicroStrategy Web SDK 10.11 and earlier, allows remote unauthenticated attackers to execute arbitrary code via the searchString parameter to the wikiScrapper task.

CVE-2020-22986

ColdFusion versions CF2021U3 (and earlier) and CF2018U13 are affected by a reflected Cross-Site Scripting (XSS) vulnerability. If an attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the victim's browser.

Security updates available for Adobe ColdFusion | APSB22-22

Adobe has released security updates for ColdFusion versions 2021 and 2018. These updates resolve an Important  vulnerability that could lead to arbitrary code execution.  
   

Adobe categorizes these updates with the following priority rating and recommends users update their installations to the newest versions:

Adobe recommends updating your ColdFusion JDK/JRE to the latest version of the LTS releases for 1.8 and JDK 11. Applying the ColdFusion update without a corresponding JDK update will NOT secure the server.  See the relevant Tech Notes for more details. 

Adobe  also recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.    

*   ColdFusion 2018 Auto-Lockdown guide   
*   ColdFusion 2021 Lockdown Guide

Adobe would like to thank the following for reporting the relevant issues and for working with Adobe to help protect our customers:

*   UB3RSiCK (ub3rsick) - CVE-2022-28818

**ColdFusion JDK Requirement**

**COLDFUSION 2021 (version 2021.0.0.323925) and above**

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

**COLDFUSION 2018 HF1 and above**  

**For Application Servers**   

On JEE installations, set the following JVM flag, "-Djdk.serialFilter= !org.mozilla.\*\*;!com.sun.syndication.\*\*;!org.apache.commons.beanutils.\*\*", in the respective startup file depending on the type of Application Server being used.   

For example:   

Apache Tomcat Application Server: edit JAVA\_OPTS in the ‘Catalina.bat/sh’ file   

WebLogic Application Server:  edit JAVA\_OPTIONS in the ‘startWeblogic.cmd’ file   

WildFly/EAP Application Server:  edit JAVA\_OPTS in the ‘standalone.conf’ file   

Set the JVM flags on a JEE installation of ColdFusion, not on a standalone installation.   

For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com

CVE-2022-28818: Adobe Security Bulletin

A bug exist in the input parameter of Access Manager that allows supply of invalid character to trigger cross-site scripting vulnerability. This affects NetIQ Access Manager 4.5 and 5.0

CVE-2021-22531

An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie misses the HttpOnly flag, making it accessible via JavaScript and thus allowing an attacker, able to perform an XSS attack, to steal the session cookie.

%PDF-1.3 %��������� 4 0 obj << /Length 5 0 R /Filter /FlateDecode >> stream x�\\�r�}�W or��!.��m3Ie���zǪ�V���2��d;�A���@�i���ڲAч�F���w���>|�p6߰����q)K����^��+���?�?M�U�f��t�Tw#~)Һ�KV�Lه�3Φ��lr��\`�M>\]0�&3�{w����~24��}5��i��.�&�@M�Mw�����gsin>߲\[��p�k���b�;nI&�sG��/�x�<��/6���ej��+����yVi(��l��'�M��xعWB�.

CVE-2022-25172

Tieba-Cloud-Sign v4.9 was discovered to contain a cross-site scripting (XSS) vulnerability via the function strip_tags.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

**Possible XSS vulnerability #156**

Open

enferas opened this issue

Apr 6, 2022

· 3 comments

**Comments**

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.

case 'setplug':
  $plug = strip\_tags($\_GET\['plug'\]);
  $pluginfo = getPluginInfo($plug);

Then, there is an echo in line 62.

echo '<a href="'.$pluginfo\['plugin'\]\['url'\].'" target="\_blank">';

strip\_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.

<?php
$x = "'javascript:alert()'";
$y = strip\_tags($x);
echo "<a href=$x>ClickMe</a>";

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：

*   用户为**管理员**
*   使用了带有恶意外部链接的插件

**感谢您的反馈，我们将会在晚些时候进行修复**

_translated by deepl.com_

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

*   The user is an **administrator**
*   A plugin with a malicious url is used

**Thank you for your feedback, we will fix it later**

> if (ROLE != 'admin') msg('权限不足！');
> 
> if (!file\_exists($path . $plugin . '.php')) {
> 
> return false;
> 
> }
> 
> 这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：
> 
> *   用户为**管理员**
> *   使用了带有恶意外部链接的插件
> 
> **感谢您的反馈，我们将会在晚些时候进行修复**
> 
> _translated by deepl.com_
> 
> if (ROLE != 'admin') msg('权限不足！');
> 
> if (!file\_exists($path . $plugin . '.php')) {
> 
> return false;
> 
> }
> 
> This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability
> 
> *   The user is an **administrator**
> *   A plugin with a malicious url is used
> 
> **Thank you for your feedback, we will fix it later**

礼貌问询deepl.com中译英和英译中效果怎么样

Copy link

Collaborator

** **n0099** commented May 16, 2022**

> 礼貌问询deepl.com中译英和英译中效果怎么样

您已经看到了

CVE-2022-28920: Possible XSS vulnerability · Issue #156 · MoeNetwork/Tieba-Cloud-Sign

HTMLCreator release_stable_2020-07-29 was discovered to contain a cross-site scripting (XSS) vulnerability via the function _generateFilename.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2022-28919: Possible XSS vulnerability · Issue #3651 · splitbrain/dokuwiki

**Comments**

Hello,

I would like to report for XSS vulnerability.

In file https://github.com/MoeNetwork/Tieba-Cloud-Sign/blob/master/templates/control.php line 53.

case 'setplug':
  $plug = strip\_tags($\_GET\['plug'\]);
  $pluginfo = getPluginInfo($plug);

Then, there is an echo in line 62.

echo '<a href="'.$pluginfo\['plugin'\]\['url'\].'" target="\_blank">';

strip\_tags is not secure in this case. If you can look to this code example the alert will be printed when you press on the link.

<?php
$x = "'javascript:alert()'";
$y = strip\_tags($x);
echo "<a href=$x>ClickMe</a>";

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

这是一个没有想象中严重的漏洞，我们在前面设置了权限检查挡住了非admin用户的访问，此外文件存在性检查会确保不存在的插件不会被加载，因此触发这个漏洞的需要：

*   用户为**管理员**
*   使用了带有恶意外部链接的插件

**感谢您的反馈，我们将会在晚些时候进行修复**

_translated by deepl.com_

if (ROLE != 'admin') msg('权限不足！');

if (!file\_exists($path . $plugin . '.php')) {

return false;

}

This is not as serious a vulnerability as you might think, we set up a permission check earlier to block access by non-admin users, in addition the file existence check will ensure that non-existent plugins will not be loaded, so two conditions are required to trigger this vulnerability

*   The user is an **administrator**
*   A plugin with a malicious url is used

**Thank you for your feedback, we will fix it later**

Tag

#xss