GHSA-WF3X-JCCF-5G5G XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader

Impact When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a malicious name. The malicious code is solely executed during the upload and affects only the user...

CVE-2024-37900

XWiki Platform is affected by a cross-site scripting (XSS) vulnerability triggered by uploading an attachment with a malicious filename. Root cause: improper handling of attachment filenames during upload allows JavaScript execution in the uploader’s context. Affected versions: pre-14.10.21, pre-...

CVE-2024-37900 XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a...

CVE-2024-37900 XWiki Platform vulnerable to Cross-site Scripting through attachment filename in uploader

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. When uploading an attachment with a malicious filename, malicious JavaScript code could be executed. This requires a social engineering attack to get the victim into uploading a file with a...

PT-2024-5620 · Unknown · Xwiki Platform

Name of the Vulnerable Software and Affected Versions: XWiki Platform versions prior to 14.10.21 XWiki Platform versions prior to 15.5.5 XWiki Platform versions prior to 15.10.6 XWiki Platform versions prior to 16.0.0 Description: The issue is related to the execution of malicious JavaScript code...

Matrix Tafnit 安全漏洞

Matrix Tafnit is an enterprise resource planning solution from Matrix. A security vulnerability exists in Matrix Tafnit version v8 that stems from a dependency on the filename or extension of an externally supplied file...

TOTOLINK A3600R 安全漏洞

TOTOLINK A3600R is a 6-antenna 1200M wireless router from China's Gion Electronics TOTOLINK. The TOTOLINK A3600R suffers from a buffer overflow vulnerability that originates from improper handling of the FileName parameter in the setUploadSetting function of the /cgi-bin/cstecgi.cgi file. An...

OPENSUSE-SU-2024:0218-1 Security update for exim

This update for exim fixes the following issues: - CVE-2024-39929: Fixed incorrect parsing of multiline rfc2231 header filename boo1227423...

CentOS 7 : less (RHSA-2024:3669)

The remote CentOS Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2024:3669 advisory. - less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typicall...

RHEL 8 : php-pear (Unpatched Vulnerability)

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched. - ArchiveTar: improper filename sanitization leads to file overwrites CVE-2020-28949 - ArchiveTar through...

less: OS command injection

An OS command injection flaw was found in Less. Since quoting is mishandled in filename.c, opening files with attacker-controlled file names can lead to OS command execution. Exploitation requires the LESSOPEN environment variable, which is set by default in many common cases...

VulnCheck KEV: CVE-2021-44892

A Remote Code Execution RCE vulnerability exists in ThinkPHP 3.x.x via valuefilename in index.php, which could let a malicious user obtain server control privileges...

EulerOS 2.0 SP10 : less (EulerOS-SA-2024-1888)

According to the versions of the less package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : closealtfile in filename.c in less before 606 omits shellquote calls for LESSCLOSE.CVE-2022-48624 less through 653 allows OS command execution via a...

EulerOS 2.0 SP10 : less (EulerOS-SA-2024-1912)

According to the versions of the less package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : closealtfile in filename.c in less before 606 omits shellquote calls for LESSCLOSE.CVE-2022-48624 less through 653 allows OS command execution via a...

Exploit for Improper Encoding or Escaping of Output in Exim

CVE-2024-39929 PoC Vulnerability Brief Exim through 4.97...

SUSE-SU-2024:2463-1 Security update for squashfs

This update for squashfs fixes the following issues: - CVE-2015-4645,CVE-2015-4646: Multiple buffer overflows fixed in squashfs-tools bsc935380 - CVE-2021-40153: Fixed an issue where an attacker might have been able to write a file outside of destination bsc1189936 - CVE-2021-41072: Fixed an issu...

Critical Exim Mail Server Vulnerability Exposes Millions to Malicious Attachments

A critical security issue has been disclosed in the Exim mail transfer agent that could enable threat actors to deliver malicious attachments to target users' inboxes. The vulnerability, tracked as CVE-2024-39929, has a CVSS score of 9.1 out of 10.0. It has been addressed in version 4.98. "Exim...

Ubuntu 16.04 LTS : Apport vulnerabilities (USN-6894-1)

The remote Ubuntu 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6894-1 advisory. Muqing Liu and neoni discovered that Apport incorrectly handled detecting if an executable was replaced after a crash. A local attacker could possibly us...

Gallagher Controller 6000 and Gallagher Controller 7000 Security Vulnerabilities

The Gallagher Controller 6000 and Gallagher Controller 7000 are both products of Gallagher New Zealand.The Gallagher Controller 6000 is an interface between a Gallagher Command Center server and distributed field hardware. The Gallagher Controller 7000 is a powerful network connected controller. ...

VulnCheck KEV: CVE-2024-38735

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Bastien Ho Event post event-post.This issue affects Event post: from n/a through = 5.9.5...