A vulnerability, which was classified as problematic, was found in Mingsoft MCMS 5.2.8. Affected is an unknown function of the file search.do. The manipulation of the argument content_title leads to cross site scripting. It is possible to launch the at…
[com.ruoyi:ruoyi-common] RuoYi-Cloud Cross-site Scripting vulnerability
A vulnerability was found in y_project RuoYi-Cloud. It has been rated as problematic. Affected by this issue is some unknown functionality of the component JSON Handler. The manipulation leads to cross site scripting. The attack may be launched remotel…
[github.com/containerd/containerd] containerd CRI stream server vulnerable to host memory exhaustion via terminal
Impact
A bug was found in containerd’s CRI implementation where a user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal resize events if a TTY is requested. If the user’s process fails to launch due t…
[certifi] Certifi removing TrustCor root certificate
Certifi 2022.12.07 removes root certificates from “TrustCor” from the root store. These are in the process of being removed from Mozilla’s trust store.
TrustCor’s root certificates are being removed pursuant to an investigation prompted by media report…
[github.com/labstack/echo/v4] Echo vulnerable to directory traversal
Due to improper sanitization of user input on Windows, the static file handler allows for directory traversal, allowing an attacker to read files outside of the target directory that the server has permission to read.
References
https://nvd.nist.gov/v…
[baserproject/basercms] baserCMS vulnerable to stored Cross-site Scripting
Stored cross-site scripting vulnerability in Permission Settings of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
References
https://nvd.nist.gov/vuln/detail/CVE…
[baserproject/basercms] baserCMS vulnerable to stored Cross-site Scripting
Stored cross-site scripting vulnerability in User group management of baserCMS versions prior to 4.7.2 allows a remote authenticated attacker with an administrative privilege to inject an arbitrary script.
References
https://nvd.nist.gov/vuln/detail/C…
[Passeo] Passeo uses insecure random number generator
Impact
Everyone below v1.0.5 is impacted by this flaw, of confidentiality being at risk due to the password(s) being easily able to be guessed with Passeo’s use of the random library. It is recommended to change any passwords made with Passeo before v1…
[concrete5/concrete5] Concrete CMS vulnerable to cross-site scripting in the text input field
Concrete CMS (formerly concrete5) below 8.5.10 and between 9.0.0 and 9.1.2 is vulnerable to XSS in the text input field since the result dashboard page output is not sanitized. The Concrete CMS security team has ranked this 4.2 with CVSS v3.1 vector AV…
[guarddog] GuardDog vulnerable to arbitrary file write when scanning a specially-crafted remote PyPI package
Summary
Unsafe extracting using shutil.unpack_archive() from a remotely retrieved tarball may lead to writing the extracted file to an unintended destination.
Details
Extracting files using shutil.unpack_archive() from a potentially malicious tarball w…