Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability…
[snipe/snipe-it] snipe-it vulnerable to cross-site scripting (XSS)
Cross-site Scripting (XSS) – Stored in GitHub repository snipe/snipe-it prior to v6.0.11.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3035
https://github.com/snipe/snipe-it/commit/9cf5f30c77df6ab60baab1c0e6bb0b4e773f0eae
https://huntr.dev/bou…
[oauth2-server] oauth2-server through 3.1.1 vulnerable to Open Redirect
In oauth2-server (aka node-oauth2-server) through 3.1.1, the value of the redirect_uri parameter received during the authorization and token request is checked against an incorrect URI pattern ([a-zA-Z][a-zA-Z0-9+.-]+:) before making a redirection. Thi…
[pagekit/pagekit] Pagekit CMS cross-site scripting in Markdown text box where articles are edited
A cross-site scripting (XSS) vulnerability in Pagekit CMS v1.0.18 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Markdown text box under /blog/post/edit.
References
https://nvd.nist.gov/vuln/detail/CV…
[@pendo324/get-process-by-name] @pendo324/get-process-by-name are vulnerable to Arbitrary Code Execution
All versions of package @pendo324/get-process-by-name are vulnerable to Arbitrary Code Execution due to improper sanitization of getProcessByName function.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25644
https://github.com/pendo324/get-proc…
[morgan-json] morgan-json vulnerable to Arbitrary Code Execution
All versions of package morgan-json are vulnerable to Arbitrary Code Execution due to missing sanitization of input passed to the Function constructor.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25921
https://github.com/indexzero/morgan-json…
[intelliants/subrion] Subrion CMS 4.2.1 vulnerable to cross-site scripting in admin panel
Cross Site Scripting (XSS) in the Admin Panel of Subrion CMS 4.2.1 allows attacker to inject arbitrary code via the Login Field.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-37059
https://drive.google.com/file/d/1lmU8zuyzyC9LHFXuXzamnkcLcjcfs0…
[oslo-utils] python-oslo-utils has improper password parsing
A flaw was found in python-oslo-utils. Due to improper parsing, passwords with a double quote ( ” ) in them cause incorrect masking in debug logs, causing any part of the password after the double quote to be plaintext.
References
https://nvd.nist.gov…
[froxlor/froxlor] Froxlor vulnerable to Cross-Site Request Forgery (CSRF)
Cross-Site Request Forgery (CSRF) in GitHub repository froxlor/froxlor prior to 0.10.38.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3017
https://github.com/froxlor/froxlor/commit/bbe82286aae21328668f24857995a67598fe978a
https://huntr.dev/bou…
[exotel] exotel-py 0.1.6 includes code execution backdoor inserted by a third party
The exotel (aka exotel-py) package in PyPI as of 0.1.6 includes a code execution backdoor inserted by a third party. Users should downgrade to version 0.1.5 to avoid the problem.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-38792
https://githu…