Impact
The crewjam/saml go library is vulnerable to an authentication bypass when processing SAML responses containing multiple Assertion elements.
Patches
This issue has been corrected in version 0.4.9
Credit
This issue was reported by Felix Wilhelm f…
[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown
Summary
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the adm…
[bitlyshortener] Package discontinued because Bitly lowered the free quota
On November 17, 2022, an email was received from Bitly advising that the new link quota per free token is lowered to 50 per month (from its previous value of 1000 per month). As per the email, this change is effective on December 8, 2022.
The new quota…
[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability
There is a cross-site scripting vulnerability on the management system of baserCMS.
This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users.
If you are eligible, please update to the new v…
[net.sf.mpxj-for-csharp] Temporary File Information Disclosure vulnerability in MPXJ
Impact
On Unix-like operating systems (not Windows or macos), MPXJ’s use of File.createTempFile(..) results in temporary files being created with the permissions -rw-r–r–. This means that any other user on the system can read the contents of this fil…
[phpxmlrpc/phpxmlrpc] code injection in phpxmlrpc/phpxmlrpc
code injection in Wrapper::buildClientWrapperCode via manipulation of the $client argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server’s url.
References
https://github.c…
[ghost] ghost vulnerable to unauthorized newsletter modification via improper access controls
Impact
On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have …
[decode-uri-component] decode-uri-component vulnerable to Denial of Service (DoS)
decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38900
https://github.com/SamVerschueren/decode-uri-component/issues/5
https://github.com/sindresorhus/query-st…
[org.jeecgframework.boot:jeecg-boot-common] Jeecg-boot vulnerable to SQL Injection
Jeecg-boot v3.4.3 was discovered to contain a SQL injection vulnerability via the component /sys/duplicate/check.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-45206
https://github.com/jeecgboot/jeecg-boot/issues/4129
http://jeecg-boot.com
http…
[electron] Heap buffer overflow in GPU
Heap buffer overflow in GPU in Google Chrome prior to 107.0.5304.121 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)
References
http…