Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL’s that use the…
[microweber/microweber] Microweber vulnerable to cross-site scripting (XSS)
Microweber version 1.3.1 allows an unauthenticated user to perform an account takeover via an XSS on the ‘select-file’ parameter. There was a patch released in the development branch but is not yet committed to the main branch.
References
https://nvd….
[spatie/browsershot] Browsershot version 3.57.3 vulnerable to improper input validation
Browsershot version 3.57.3 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the JS content imported from an external source passed to the Browsershot::html method does…
[org.postgresql:postgresql] TemporaryFolder on unix-like systems does not limit access to created files
Vulnerability
PreparedStatement.setText(int, InputStream)
and
PreparedStatemet.setBytea(int, InputStream)
will create a temporary file if the InputStream is larger than 51k
Example of vulnerable code:
String s = “some very large string greater than 512…
[moodle/moodle] Cross-Site Request Forgery in Moodle
A vulnerability was found in Moodle which exists due to insufficient validation of the HTTP request origin in course redirect URL. A user’s CSRF token was unnecessarily included in the URL when being redirected to a course they have just restored. A re…
[github.com/mattermost/mattermost-server] Denial of service in Mattermost
A denial-of-service vulnerability in the Mattermost allows an authenticated user to crash the server via multiple requests to one of the API endpoints which could fetch a large amount of data.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4045
…
[github.com/mattermost/mattermost-server] Denial of service in Mattermost
A denial-of-service vulnerability in Mattermost allows an authenticated user to crash the server via multiple large autoresponder messages.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-4044
https://hackerone.com/reports/1680241
https://matterm…
[backdrop/backdrop] Cross-site Scripting in Backdrop CMS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the Page content.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-42095
https://github.com/backdrop/backdrop/releases/tag/1.23.0
https://g…
[backdrop/backdrop] Cross-site Scripting in Backdrop CMS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via ‘Comment.’s
References
https://nvd.nist.gov/vuln/detail/CVE-2022-42097
https://github.com/backdrop/backdrop/releases/tag/1.23.0
https://github….
[backdrop/backdrop] Cross-site Scripting in Backdrop CMS
Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the ‘Card’ content.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-42094
https://github.com/backdrop/backdrop/releases/tag/1.23.0
https:/…