The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functional…
[jsonwebtoken] jsonwebtoken’s insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
Overview
Versions <=8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function (referring to the secretOrPublicKey argument from the readme link) will result in incorrect verification of tokens. Th…
[jsonwebtoken] jsonwebtoken vulnerable to signature validation bypass due to insecure default algorithm in jwt.verify()
Overview
In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition and a falsy secret or key in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification.
Am …
[jsonwebtoken] jsonwebtoken unrestricted key type could lead to legacy keys usage
Overview
Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
Am I affected?
You are affected if you ar…
[rdiffweb] rdiffweb Open Redirect vulnerability
rdiffweb prior to version 2.5.4 has an Open Redirect vulnerability.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4644
https://github.com/ikus060/rdiffweb/commit/5f861670ef8f38ca8eea52a98672d0e0fabb5368
https://huntr.dev/bounties/77e5f425-c764-…
[microweber/microweber] Microweber vulnerable to Stored Cross-Site Scripting
Microweber versions 1.3.1 and prior are vulnerable to stored Cross-site Scripting (XSS). A patch is available on the 1.4, dev, and laravel-sail branches.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4647
https://github.com/microweber/microwebe…
[rdiffweb] rdiffweb vulnerable to Cross-Site Request Forgery
rdiffweb prior to version 2.5.4 is vulnerable to Cross-Site Request Forgery (CSRF).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4646
https://github.com/ikus060/rdiffweb/commit/e6f0d8002129be90fe82fa3e3ea0a6942caba398
https://huntr.dev/bountie…
[net.mingsoft:ms-mcms] Mingsoft MCMS Cross-site Scripting vulnerability
A vulnerability has been found in Mingsoft MCMS 5.2.9 and classified as problematic. Affected by this vulnerability is the function save of the component Article Handler. The manipulation leads to cross site scripting. The attack can be launched remote…
[collective.contact.widget] collective.contact.widget is vulnerable to cross-site scripting
collective.contact.widget is an add-on is part of the collective.contact.* suite. A vulnerability classified as problematic was found in collective.contact.widget up to 1.12. This vulnerability affects the function title of the file src/collective/cont…
[github.com/studygolang/studygolang] studygolang vulnerable to cross-site scripting
A vulnerability classified as problematic has been found in studygolang. This affects an unknown part of the file static/js/topics.js. The manipulation of the argument contentHtml leads to cross site scripting. It is possible to initiate the attack rem…