Impact
What kind of vulnerability is it? Who is impacted?
The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request (example: /metadata/identity\oauth2…
[smoothie] Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users
The package smoothie from 1.31.0 and before 1.36.1 are vulnerable to Cross-site Scripting (XSS) due to improper user input sanitization in strokeStyle and tooltipLabel properties. Exploiting this vulnerability is possible when the user can control thes…
[microweber/microweber] Microweber vulnerable to Reflected Cross-site Scripting
Microweber versions 1.3.1 and prior are vulnerable to Reflected Cross-site Scripting (XSS). A patch is available on the 1.4, dev, and laravel-sail branches.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4617
https://github.com/microweber/microw…
[org.apache.zeppelin:zeppelin] Apache Zeppelin Cross-site Scripting vulnerability
An Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Apache Zeppelin allows logged-in users to execute arbitrary javascript in other users’ browsers. This issue affects Apache Zeppelin before 0.8.2. U…
[github.com/bradleyfalzon/ghinstallation] ghinstallation returns app JWT in error responses
Impact
In ghinstallation v1, when the request to refresh an installation token failed, the HTTP request and response would be returned for debugging.
https://github.com/bradleyfalzon/ghinstallation/blob/24e56b3fb7669f209134a01eff731d7e2ef72a5c/transpor…
[github.com/cortexproject/cortex] Cortex’s Alertmanager can expose local files content via specially crafted config
Impact
A local file inclusion vulnerability exists in Cortex versions v1.13.0, v1.13.1 and v1.14.0, where a malicious actor could remotely read local files as a result of parsing maliciously crafted Alertmanager configurations when submitted to the Ale…
[silverstripe/subsites] SilverStripe Subsite weakens file permissions
The subsites module can weaken edit restrictions on some files and allow a malicious user to edit files they do not have edit rights to.
This only affects projects with the subsites module installed. Regression testing should focus on custom file logic…
[whois] FurqanSoftware/node-whois vulnerable to Prototype Pollution
A vulnerability classified as critical has been found in Furqan node-whois. Affected is an unknown function of the file index.coffee. The manipulation leads to improperly controlled modification of object prototype attributes (‘prototype pollution’). I…
[oils] Oils JS vulnerable to Open Redirect
A vulnerability was found in oils-js. This vulnerability affects unknown code of the file core/Web.js. The manipulation leads to open redirect and the attack can be initiated remotely. The name of the patch is fad8fbae824a7d367dacb90d56cb02c5cb999d42. …
[github.com/usememos/memos] Memos Cross-site Scripting vulnerability
Memos, an open-source, self-hosted memo hub, is vulnerable to stored Cross-site Scripting (XSS) in versions 0.8.3 and prior. A patch is available and anticipated to be part of version 0.9.0.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4609
ht…