A stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
Reference…
[go.pinniped.dev] Pinniped Supervisor Insufficient Session Expiration vulnerability
Impact
A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially use their access token to continue their session beyond what proper use of their refresh token might allow.
Access tokens issued by the Pinniped Superviso…
[org.apache.geode:geode-core] Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data
Apache Geode versions prior to 1.15.0 are vulnerable to a deserialization of untrusted data flaw when using REST API on Java 8 or Java 11. Any user wishing to protect against deserialization attacks involving REST APIs should upgrade to Apache Geode 1….
[prestashop/productcomments] PrestaShop Product Comments Cross-site Scripting vulnerability
Impact
An attacker could steal an admin’s cookie
Patches
The issue is fixed in 5.0.2
References
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
References
https://github.com/PrestaShop/productcomments/security/advi…
[x-data-spreadsheet] x-data-spreadsheet through 1.1.9 vulnerable to Cross-site Scripting
All versions of package x-data-spreadsheet are vulnerable to Cross-site Scripting (XSS) due to missing sanitization of values inserted into the cells.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-25646
https://github.com/myliang/x-spreadsheet/…
[librenms] LibreNMS vulnerable to Cross-Site Scripting (XSS)
LibreNMS version 22.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component print-customoid.php.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-36745
https://github.com/librenms/librenms/pull/14126
https://comm…
[librenms] LibreNMS vulnerable to Cross-Site Scripting (XSS)
LibreNMS version 22.6.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component oxidized-cfg-check.inc.php.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-36746
https://github.com/librenms/librenms/pull/14126
https…
[strapi-plugin-ezforms] Captcha Bypass in strapi-plugin-ezforms
Impact
Users using any captcha providers
Patches
0.1.0
References
Issue
References
https://github.com/excl-networks/strapi-plugin-ezforms/security/advisories/GHSA-8mgq-6r2q-82w9
https://github.com/excl-networks/strapi-plugin-ezforms/issues/15
https:…
[helm.sh/helm/v3] Denial of service through string value parsing
Fuzz testing, by Ada Logics and sponsored by the CNCF, identified input to functions in the strvals package that can cause an out of memory panic. Out of memory panics cannot be recovered from. Applications that use functions from the strvals package i…
[github.com/cilium/cilium] Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels
Impact
If a user has Network Policies with namespace selectors selecting labels of namespaces, or (clusterwide) Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights (either directly…