GSD-2022-1006090 powerpc/64: Init jump labels before parse_early_param()

powerpc/64: Init jump labels before parseearlyparam This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v4.19.256 by commit...

GSD-2022-1005946 powerpc/64: Init jump labels before parse_early_param()

powerpc/64: Init jump labels before parseearlyparam This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.4.211 by commit...

GSD-2022-1005756 powerpc/64: Init jump labels before parse_early_param()

powerpc/64: Init jump labels before parseearlyparam This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.10.138 by commit...

PT-2022-34014 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v5.10.138 Description: The issue is related to the initialization of jump labels before the parse early param function is called. The actual impact and potential for attack have not been proven yet...

GitLab: Bypass: Stored-XSS with CSP-bypass via scoped labels' color

A Stored-XSS with CSP-bypass vulnerability was discovered in GitLab that allowed attackers to execute arbitrary actions on behalf of victims at the client side. The vulnerability was caused by a missing mitigation for scoped labels, which allowed attackers to create a Stored-XSS with CSP-bypass o...

ManageEngine DataSecurity Plus Xnode Enumeration

This module exploits default admin credentials for the DataEngine Xnode server in DataSecurity Plus versions prior to 6.0.1 6011 in order to dump the contents of Xnode data repositories tables, which may contain a limited amount of Active Directory information including domain names, host names,...

ManageEngine ADAudit Plus Xnode Enumeration

This module exploits default admin credentials for the DataEngine Xnode server in ADAudit Plus versions prior to 6.0.3 6032 in order to dump the contents of Xnode data repositories tables, which may contain a limited amount of Active Directory information including domain names, host names,...

GHSA-PFHR-PCCP-HWMH Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels

Impact If a user has Network Policies with namespace selectors selecting labels of namespaces, or clusterwide Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights either directly or indirectly via higher-level APIs such as...

Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels

Impact If a user has Network Policies with namespace selectors selecting labels of namespaces, or clusterwide Cilium Network Policies matching on namespace labels, then it is possible for an attacker with Kubernetes pod deploy rights either directly or indirectly via higher-level APIs such as...

PT-2022-4599 · Gitlab · Gitlab Ce/Ee +1

Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions prior to 15.1.6 GitLab CE/EE versions 15.2 through 15.2.4 GitLab CE/EE versions prior to 15.3.2 Description: A cross-site scripting issue has been discovered in GitLab CE/EE. The issue is related to the labels colour...

Ubuntu: Security Advisory (USN-395-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GitLab: Stored-XSS with CSP-bypass via labels' color

Stored-XSS with CSP-bypass was discovered in Gitlab that allowed attackers to execute arbitrary actions on behalf of victims at the client side. This was possible due to the import of unsanitized label colors from Github, which led to the execution of malicious JavaScript code...

CVE-2022-2409

The Rough Chart WordPress plugin through 1.0.0 does not properly escape chart data label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

CVE-2022-2409

The Rough Chart WordPress plugin through 1.0.0 does not properly escape chart data label, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

PT-2022-16459 · WordPress · Rough Chart Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: Rough Chart WordPress plugin versions through 1.0.0 Description: The issue concerns the Rough Chart WordPress plugin, which does not properly escape chart data labels. This could allow high-privilege users to perform Cross-Site Scripting...

WordPress plugin Rough Chart 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

Google Removes "App Permissions" List from Play Store for New "Data Safety" Section

Following the launch of a new "Data safety" section for the Android app on the Play Store, Google appears to be readying to remove the app permissions list from both the mobile app and the web. The change was highlighted by Esper's Mishaal Rahman earlier this week. The Data safety section, which...

CVE-2021-25056

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

Cross site scripting

The Ninja Forms Contact Form WordPress plugin before 3.6.10 does not sanitise and escape field labels, allowing high privilege users to perform Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed...

PT-2022-10415 · Qualcomm · Snapdragon Mobile +1

Name of the Vulnerable Software and Affected Versions: Snapdragon Connectivity, Snapdragon Mobile affected versions not specified Description: The issue is related to improper serialization of message queue client registration, which can cause a race condition. This condition allows multiple guny...