MODERATE

[editor.md] Pandao Editor.md vulnerable to cross-site scripting (XSS) in iframe src parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script in the <iframe> src parameter.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-19697
https://github…

[editor.md] Pandao Editor.md vulnerable to cross-site scripting (XSS) in editor parameter

Cross-site Scripting vulnerability found in Pandao Editor.md v.1.5.0 allows a remote attacker to execute arbitrary code via a crafted script to the editor parameter.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-19698
https://github.com/pandao/…

[directus] Directus API vulnerable to denial of service

An issue found in Directus API v.2.2.0 allows a remote attacker to cause a denial of service via a great amount of HTTP requests.
References

https://nvd.nist.gov/vuln/detail/CVE-2020-19850
https://github.com/directus/api/issues/982
https://github.com/…

[github.com/mattermost/mattermost-server] Mattermost vulnerable to cross-site scripting (XSS)

Boards in Mattermost allows an attacker to upload a malicious SVG image file as an attachment to a card and share it using a direct link to the file.
Issue Identifier: MMSA-2023-00139
References

https://nvd.nist.gov/vuln/detail/CVE-2023-1776
https://…

[github.com/mattermost/mattermost-server/v6] Mattermost vulnerable to information disclosure

When running in a High Availability configuration, Mattermost fails to sanitize some of the user_updated and post_deleted events broadcast to all users, leading to disclosure of sensitive information to some of the users with currently connected Websoc…

[angular] angular vulnerable to regular expression denial of service via the $resource service

All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted inpu…

[angular] angular vulnerable to regular expression denial of service via the angular.copy() utility

All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefull…

[angular] angular vulnerable to regular expression denial of service via the element

All versions of the package angular are vulnerable to Regular Expression Denial of Service (ReDoS) via the element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large…

[openzeppelin-cairo-contracts] OpenZeppelin Contracts contains Improper Verification of Cryptographic Signature

Cause
is_valid_eth_signature is missing a call to finalize_keccak after calling verify_eth_signature.
Impact
As a result, any contract using is_valid_eth_signature from the account library (such as the EthAccount preset) is vulnerable to a malicious s…

[org.apache.inlong:inlong] Apache InLong vulnerable to Deserialization of Untrusted Data vulnerability

Deserialization of Untrusted Data vulnerability in Apache Software Foundation Apache InLong. This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong’s latest version or cherry-pick https://github.com/ap…

TechMedia

Featured

[vitess.io/vitess] vitess allows users to create keyspaces that can deny access to already existing keyspaces

[github.com/answerdev/answer] Answer vulnerable to account takeover because password reset links do not expire

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to improper access control

[thorsten/phpmyfaq] thorsten/phpmyfaq vulnerable to stored cross-site scripting (XSS) via updatecategory parameter