GitHub

[concrete5/concrete5] Concrete CMS vulnerable to Reflected Cross-site Scripting via image manipulation library

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the image manipulation library due to un-sanitized output.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-43694
https://documentation.co…

[concrete5/concrete5] Concrete CMS vulnerable to Reflected Cross-site Scripting

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS – user can cause an administrator to trigger reflected XSS with a url if the targeted administrator is using an old browser that lacks XSS protect…

[concrete5/concrete5] Concrete CMS vulnerable to Uncontrolled Resource Consumption leading to DoS

In Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2, the authTypeConcreteCookieMap table can be filled up causing a denial of service (high load).
References

https://nvd.nist.gov/vuln/detail/CVE-2022-43686
https://documentati…

[concrete5/concrete5] Concrete CMS vulnerable to Reflected Cross-Site Scripting via dashboard icons

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the dashboard icons due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
References

https://nvd.nist.gov/vuln/…

[concrete5/concrete5] Concrete CMS vulnerable to Cross-site Scripting via multilingual report

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Reflected XSS in the multilingual report due to un-sanitized output. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
References

https://nvd.nist.gov/v…

[concrete5/concrete5] Concrete CMS vulnerable to Cross-site Scripting

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to Stored Cross-Site Scripting (XSS) in icons since the Microsoft application tile color is not sanitized. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+….

[rdiffweb] rdiffweb vulnerable to Insufficient Session Expiration

Insufficient Session Expiration in GitHub repository ikus060/rdiffweb prior to 2.5.0.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3362
https://github.com/ikus060/rdiffweb/commit/6efb995bc32c8a8e9ad755eb813dec991dffb2b8
https://huntr.dev/bount…

[concrete5/concrete5] Concrete CMS vulnerable to Session Fixation

Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 does not issue a new session ID upon successful OAuth authentication. Remediate by updating to Concrete CMS 9.1.3+ or 8.5.10+.
References

https://nvd.nist.gov/vuln/detail/CVE-2…

[com.liferay.portal:release.portal.bom] Missing permissions check in Liferay Portal

The Asset Libraries module in Liferay Portal 7.3.5 through 7.4.3.28, and Liferay DXP 7.3 before update 8, and DXP 7.4 before update 29 does not properly check permissions of asset libraries, which allows remote authenticated users to view asset librari…

[com.liferay.portal:release.portal.bom] Incorrect Default Permissions in Liferay Portal

The Hypermedia REST APIs module in Liferay Portal 7.4.1 through 7.4.3.4, and Liferay DXP 7.4 GA does not properly check permissions, which allows remote attackers to obtain a WikiNode object via the WikiNodeResource.getSiteWikiNodeByExternalReferenceCo…

トピトピニュース

Featured

[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[bitlyshortener] Package discontinued because Bitly lowered the free quota

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability