MODERATE

[froxlor/froxlor] Froxlor vulnerable to Code Injection

Froxlor prior to version 0.10.39 is vulnerable to Code Injection.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-3721
https://github.com/froxlor/froxlor/commit/1182453c18a83309a3470b2775c148ede740806c
https://huntr.dev/bounties/a3c506f0-5f8a-4ea…

[deep-parse-json] deep-parse-json vulnerable to Prototype Pollution

deep-parse-json version 1.0.2 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.
Refere…

[deep-object-diff] deep-object-diff vulnerable to Prototype Pollution

deep-object-diff before version 1.1.6 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the __proto__ property to be edited. Thi…

[fastest-json-copy] fastest-json-copy vulnerable to Prototype Pollution

fastest-json-copy version 1.0.1 allows an external attacker to edit or add new properties to an object. This is possible because the application does not correctly validate the incoming JSON keys, thus allowing the __proto__ property to be edited.
Refe…

[electron-markdownify] Markdownify has Files or Directories Accessible to External Parties

Markdownify version 1.4.1 allows an external attacker to remotely obtain arbitrary local files on any client that attempts to view a malicious markdown file through Markdownify. This is possible because the application does not have a CSP policy (or at…

[opencart/opencart] OpenCart allows users on admin page to obtain database information or read server files through SQL injection

OpenCart 3.0.3.7 allows users to obtain database information or read server files through SQL injection in the background.
References

https://nvd.nist.gov/vuln/detail/CVE-2021-37823
https://medium.com/@nowczj/sql-injection-exists-in-the-background-of-…

[org.kairosdb:kairosdb] Reflected Cross site scripting (XSS) in kairosdb

KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a ‘”sampling”:{“value”:”

[in2code/femanager] TYPO3 Extension femanager vulnerable to Broken Access Control

Posted inMODERATE
Posted byGitHub
11/04/2022

The TYPO3 Extension femanager prior to versions 5.5.2, 6.3.3, and 7.0.1 is vulnerable to broken access control. The usergroup.inList validation can be bypassed resulting in new frontend users created by the extension may be members of groups that are r…

[tribalsystems/zenario] Tribal Systems Zenario CMS vulnerable to Cross-site Scripting

A vulnerability has been found in Tribal Systems Zenario CMS prior to version 8.5.51340. Affected by this issue is some unknown functionality of the file admin_organizer.js of the component Error Log Module. The manipulation leads to cross site scripti…

[apache-airflow] Apache Airflow Cross-site Scripting vulnerability

In Apache Airflow versions prior to 2.4.2, the “Trigger DAG with config” screen was susceptible to XSS attacks via the origin query argument.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-43982
https://github.com/apache/airflow/pull/27143
https…

トピトピニュース

Featured

[org.keycloak:keycloak-core] Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

[baserproject/basercms] baserproject/basercms vulnerable to cross-site scripting (XSS) vulnerability

[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files

[com.h2database:h2] Password exposure in H2 Database