GitHub

[thorsten/phpmyfaq] phpMyFAQ vulnerable to reflected Cross-site Scripting

phpMyFAQ prior to version 3.1.8 is vulnerable to reflected cross-site scripting.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3766
https://github.com/thorsten/phpmyfaq/commit/c7904f2236c6c0dd64c2226b90c30af0f7e5a72d
https://huntr.dev/bounties/…

[thorsten/phpmyfaq] phpMyFAQ vulnerable to stored Cross-site Scripting

phpMyFAQ prior to version 3.1.8 is vulnerable to stored Cross-site Scripting.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3765
https://github.com/thorsten/phpmyfaq/commit/372428d02a08e90b3a253ba5c506cda84581a5af
https://huntr.dev/bounties/613…

[thorsten/phpmyfaq] phpMyFAQ contains Weak Password Requirements

phpMyFAQ prior to version 3.1.8 has Weak Password Requirements. Version 3.1.8 introduces an eight-character minimum password length.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3754
https://github.com/thorsten/phpmyfaq/commit/d7a87d2646287828…

[pimcore/pimcore] RCE vulnerability in Pimcore/Mail & Dynamic Text Layout

Impact
The user controlled twig templates rendering in Pimcore/Mail & ClassDefinition\Layout\Text is vulnerable to server-side template Injection RCE.
Patches
Update to version 10.5.9 or apply this patch manually https://github.com/pimcore/pimcore/…

[Keylime] Keylime: unhandled exceptions could lead to invalid attestation states

Impact
This vulnerability creates a false sense of security for keylime users — i.e. a user could query keylime and conclude that a parcitular node/agent is correctly attested, while attestations are not in fact taking place.
Short explanation: the ke…

[org.apache.dolphinscheduler:dolphinscheduler] Apache DolphinScheduler vulnerable to Path Traversal

Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-26884
https://lists.apache.org/thread/xfdst5y4hnrm2ntmc5jzrgmw2htyyb9c
http://www.ope…

[github.com/hashicorp/boundary] Hashicorp Boundary vulnerable to clickjacking

Hashicorp Boundary is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.
References

https://nvd.nist.gov/vuln/detail/CV…

[wintercms/winter] Prototype pollution in Snowboard framework

Posted inHIGH
Posted byGitHub
10/28/202210/28/2022

Impact
The Snowboard framework in affected versions is vulnerable to prototype pollution in the main Snowboard class as well as its plugin loader.
Patches
This issue has been patched in https://github.com/wintercms/winter/commit/2a13faf99972e84c966125…

[rdiffweb] Rdiffweb subject to Business Logic Errors

Business Logic Errors in GitHub repository ikus060/rdiffweb prior to 2.5.0a7.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3363
https://github.com/ikus060/rdiffweb/commit/c27c46bac656b1da74f28eac1b52dfa5df76e6f2
https://huntr.dev/bounties/b8a4…

[actionpack] Cross-site Scripting in actionpack

Posted inLOW
Posted byGitHub
10/27/202210/29/2022

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit. There are no known workarounds for this issue.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-…

トピトピニュース

Featured

[github.com/crewjam/saml] crewjam/saml vulnerable to signature bypass via multiple Assertion elements due to improper authentication

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[bitlyshortener] Package discontinued because Bitly lowered the free quota

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability