ProcessWire v3.0.200 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities via the Search Users and Search Pages function. These vulnerabilities allow attackers to execute arbitrary web scripts or HTML via injection of a crafted…
[processwire/processwire] ProcessWire vulnerable to Cross-Site Request Forgery
ProcessWire v3.0.200 was discovered to contain a Cross-Site Request Forgery (CSRF).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-40488
https://gist.github.com/filipaze/76138289ded98aa45dfcd939a8afd331
http://processwire.com
https://github.com/…
[thorsten/phpmyfaq] phpMyFAQ vulnerable to stored Cross-site Scripting
phpMyFAQ prior to version 3.1.8 is vulnerable to stored Cross-site Scripting.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3765
https://github.com/thorsten/phpmyfaq/commit/372428d02a08e90b3a253ba5c506cda84581a5af
https://huntr.dev/bounties/613…
[thorsten/phpmyfaq] phpMyFAQ vulnerable to reflected Cross-site Scripting
phpMyFAQ prior to version 3.1.8 is vulnerable to reflected cross-site scripting.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-3766
https://github.com/thorsten/phpmyfaq/commit/c7904f2236c6c0dd64c2226b90c30af0f7e5a72d
https://huntr.dev/bounties/…
[Keylime] Keylime: unhandled exceptions could lead to invalid attestation states
Impact
This vulnerability creates a false sense of security for keylime users — i.e. a user could query keylime and conclude that a parcitular node/agent is correctly attested, while attestations are not in fact taking place.
Short explanation: the ke…
[org.apache.dolphinscheduler:dolphinscheduler] Apache DolphinScheduler vulnerable to Path Traversal
Users can read any files by log server, Apache DolphinScheduler users should upgrade to version 2.0.6 or higher.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-26884
https://lists.apache.org/thread/xfdst5y4hnrm2ntmc5jzrgmw2htyyb9c
http://www.ope…
[github.com/hashicorp/boundary] Hashicorp Boundary vulnerable to clickjacking
Hashicorp Boundary is vulnerable to Clickjacking which allow for the interception of login credentials, re-direction of users to malicious sites, or causing users to perform malicious actions on the site.
References
https://nvd.nist.gov/vuln/detail/CV…
[twisted] Twisted vulnerable to NameVirtualHost Host header injection
When the host header does not match a configured host, twisted.web.vhost.NameVirtualHost will return a NoResource resource which renders the Host header unescaped into the 404 response allowing HTML and script injection.
Example configuration:
from twi…
[joyqi/hyper-down] HyperDown vulnerable to Cross-site Scripting
HyperDown is a markdown parser written for the Chinese website SegmentFault. Improper validation of the href attribute allows for Cross-site Scripting. At publication there are no patched versions, and no known workarounds.
References
https://nvd.nist…
[evm] Incorrect is_static parameter for custom stateful precompiles in SputnikVM (evm)
Impact
A custom stateful precompile can use the is_static parameter to determine if the call is executed in a static context (via STATICCALL), and thus decide if stateful operations should be done. Previously, the passed is_static parameter was incorre…