This vulnerability was reported to the personnummer team in June 2020. The slow response was due to locked ownership of some of the affected packages, which caused delays to update packages prior to disclosure.
The vulnerability is determined to be low…
[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via SlaPolicy module
YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the SlaPolicy module. A patch is available at commit e55886781509fe39951fc7528347696474a17884.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3005
https://github.c…
[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module
YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the WidgetsManagement module. A patch is available at commit b716ecea340783b842498425faa029800bd30420.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-2924
https://…
[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via WorkFlow module
YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the WorkFlow module. A patch is available at commit cd82ecce44d83f1f6c10c7766bf36f3026de024a.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3004
https://github.co…
[microweber/microweber] Microweber Cross-site Scripting can result in redirection to a malicious site
Microweber versions 1.3.1 and prior are vulnerable to HTML injection that an attacker can use to redirect someone to a malicious site. A patch is available at commit 68f0721571653db865a5fa01c7986642c82e919c and expected to be part of version 1.3.2.
Ref…
[org.apache.kafka:kafka] Apache Kafka vulnerability can lead to brokers hitting OutOfMemoryException, causing Denial of Service
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryEx…
[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module
YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the LayoutEditor module. A patch is available at commit eebc12601495ada38495076bec12841b2477516b.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3000
https://githu…
[microweber/microweber] Microweber vulnerable to HTML Injection in create tag functionality
HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input. A patch is avai…
[org.apache.inlong:inlong-common] Apache InLong vulnerable to Deserialization of Untrusted Data
In versions of Apache InLong prior to 1.3.0, an attacker with sufficient privileges to specify MySQL JDBC connection URL parameters and to write arbitrary data to the MySQL database, could cause this data to be deserialized by Apache InLong, potentiall…
[github.com/HFO4/cloudreve] Cross site scripting in Cloudreve
Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. A low privileged user will be able to share a file with an admin user, which could lead to privilege escalation.
References…