MODERATE

[snipe/snipe-it] Insufficient Session Expiration in snipe/snipe-it

Session Fixation in GitHub repository snipe/snipe-it prior to version 6.0.10. The session is not invalidated after a password change.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-2997
https://github.com/snipe/snipe-it/commit/6fde72a69335c80079…

[exceedone/laravel-admin] exceedone/exment and exceedone/laravel-admin Cross-site Scripting vulnerability

Reflected cross-site scripting vulnerability in Exment ((PHP8) exceedone/exment v5.0.2 and earlier and exceedone/laravel-admin v3.0.0 and earlier, (PHP7) exceedone/exment v4.4.2 and earlier and exceedone/laravel-admin v2.2.2 and earlier) allows a remot…

[uri-template-lite] uri-template-lite Regular Expression Denial of Service

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the uri-template-lite npm package, when an attacker is able to supply arbitrary input to the “URI.expand” method. A fix is available on the main branch of the repository.
R…

[getkirby/cms] Kirby CMS 2.5.12 Cross-site Scripting

An issue was discovered in Kirby 2.5.12. The application allows malicious HTTP requests to be sent in order to trick a user into adding web pages.
References

https://nvd.nist.gov/vuln/detail/CVE-2018-14520
https://www.exploit-db.com/exploits/45068
htt…

[getkirby/cms] Kirby CMS 2.5.12 Cross-site Request Forgery

An issue was discovered in Kirby 2.5.12. The delete page functionality suffers from a CSRF flaw. A remote attacker can craft a malicious CSRF page and force the user to delete a page.
References

https://nvd.nist.gov/vuln/detail/CVE-2018-14519
https://…

[ansible-runner] ansible-runner 2.0.0 vulnerable to Race Condition

A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner’s private_data_dir the next time …

[org.jenkins-ci.plugins:git] Improper masking of credentials Jenkins in Git Plugin

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (gitUsernamePassword) credentials binding.
References

https://nvd.nist.gov/vuln/detail/C…

[org.jenkins-ci.plugins:jobConfigHistory] Cross-site Scripting in Jenkins Job Configuration History Plugin

Jenkins Job Configuration History Plugin 1165.v8cc9fd1f4597 and earlier does not escape the job name on the System Configuration History page, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to configure job…

[OctoPrint] Unverified Password Change in OctoPrint

Versions of OctoPrint prior to 1.8.3 did not require the current user password in order to change that users password. As a result users could be locked out of their accounts or have their accounts stolen under certain circumstances.
References

https:…

[yetiforce/yetiforce-crm] Cross site scripting in yetiforce/yetiforce-crm

Cross-site Scripting (XSS) – Stored in GitHub repository yetiforcecompany/yetiforcecrm prior to 6.4.0.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1340
https://github.com/yetiforcecompany/yetiforcecrm/commit/2c14baaf8dbc7fd82d5c585f2fa0c23528…

トピトピニュース

Featured

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files

[com.h2database:h2] Password exposure in H2 Database