Security
Headlines
HeadlinesLatestCVEs

Tag

#xss

GHSA-m98g-63qj-fp8j: Reflected XSS on clients-registrations endpoint

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. ### Acknowledgement Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.

ghsa
Open in Source
#xss#vulnerability#git#java#perl#maven
GHSA-4g29-fccr-p59w: Reflected Cross-site Scripting in Shopware storefront

### Impact Not-stored XSS in storefront. Request parameter were directly assigned to the template, so that malicious code could be send via an URL. ### Patches We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via the Auto-Updater or directly via the download overview. https://www.shopware.com/en/changelog-sw5/#5-7-9 For older versions you can use the Security Plugin: https://store.shopware.com/en/swag575294366635f/shopware-security-plugin.html ### References https://docs.shopware.com/en/shopware-5-en/security-updates/security-update-04-2022

CVE-2022-28454: Limbas

Limbas 4.3.36.1319 is vulnerable to Cross Site Scripting (XSS).

CVE-2022-28477: GitHub - APTX-4879/CVE

WBCE CMS 1.5.2 is vulnerable to Cross Site Scripting (XSS).

CVE-2022-29413: Hermit 音乐播放器

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter.

CVE-2022-29413: Hermit 音乐播放器

Cross-Site Request Forgery (CSRF) leading to Stored Cross-Site Scripting (XSS) in Mufeng's Hermit ????? plugin <= 3.1.6 on WordPress via &title parameter.

CVE-2022-29415: WordPress Ravpage plugin <= 2.16 - Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability - Patchstack

Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability in Mati Skiba @ Rav Messer's Ravpage plugin <= 2.16 at WordPress.

CVE-2022-27860: Footer Text

Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) in Shea Bunge's Footer Text plugin <= 2.0.3 on WordPress.

CVE-2022-1514: Sanitized the data read from the ini file to avoid security problems. · NeoRazorX/facturascripts@aa9f28c

Stored XSS via upload plugin functionality in zip format in GitHub repository neorazorx/facturascripts prior to 2022.06. Cross-site scripting attacks can have devastating consequences. Code injected into a vulnerable application can exfiltrate data or install malware on the user's machine. Attackers can masquerade as authorized users via session cookies, allowing them to perform any action allowed by the user account.

CVE-2022-29584: Security Announcements - XSS exploit in 'External media' block in Mahara before 20.10.5, 21.04.4, and 21.10.2 - Mahara ePortfolio System

Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 allows stored XSS when a particular Cascading Style Sheets (CSS) class for embedly is used, and JavaScript code is constructed to perform an action.