CVE-2023-25810

CVE-2023-25810 affects Uptime Kuma (self-hosted monitoring tool). The vulnerability is a persistent XSS on the status page in versions prior to 1.20.0. Upgrade to version 1.20.0 or later to fix; there are no documented workarounds. The available sources confirm the issue and the recommended remed...

CVE-2023-25810 Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma

Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability...

CVE-2023-25810 Persistent Cross site scripting (XSS) through description in status page in Uptime Kuma

Uptime Kuma is a self-hosted monitoring tool. In versions prior to 1.20.0 the Uptime Kuma status page allows a persistent XSS attack. Users are advised to upgrade. There are no known workarounds for this vulnerability...

K15244523: 389-ds-base vulnerability CVE-2021-4091

Security Advisory Description A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash. CVE-2021-4091 Impact There is no impact; F5 products ar...

SUSE CVE-2010-2791

modproxy in httpd in Apache HTTP Server 2.2.9, when running on Unix, does not close the backend connection if a timeout occurs when reading a response from a persistent connection, which allows remote attackers to obtain a potentially sensitive response intended for a different client in...

SUSE CVE-2013-4299

Interpretation conflict in drivers/md/dm-snap-persistent.c in the Linux kernel through 3.11.6 allows remote authenticated users to obtain sensitive information or modify data via a crafted mapping to a snapshot block device...

SUSE CVE-2016-2822

Mozilla Firefox before 47.0 and Firefox ESR 45.x before 45.2 allow remote attackers to spoof the address bar via a SELECT element with a persistent menu...

SUSE CVE-2017-11641

GraphicsMagick 1.3.26 has a Memory Leak in the PersistCache function in magick/pixelcache.c during writing of Magick Persistent Cache MPC files...

SUSE CVE-2017-1002100

Default access permissions for Persistent Volumes PVs created by the Kubernetes Azure cloud provider in versions 1.6.0 to 1.6.5 are set to "container" which exposes a URI that can be accessed without authentication on the public internet. Access to the URI string requires privileged access to the...

SUSE CVE-2018-10850

389-ds-base before versions 1.4.0.10, 1.3.8.3 is vulnerable to a race condition in the way 389-ds-base handles persistent search, resulting in a crash if the server is under load. An anonymous attacker could use this flaw to trigger a denial of service...

SUSE CVE-2018-14638

A flaw was found in 389-ds-base before version 1.3.8.4-13. The process ns-slapd crashes in deletepasswdPolicy function when persistent search connections are terminated unexpectedly leading to remote denial of service...

SUSE CVE-2019-16779

In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted such as by a timeout would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition...

SUSE CVE-2020-11077

In Puma RubyGem before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the firs...

SUSE CVE-2020-15675

When processing surfaces, the lifetime may outlive a persistent buffer leading to memory corruption and a potentially exploitable crash. This vulnerability affects Firefox 81...

SUSE CVE-2021-4091

A double-free was found in the way 389-ds-base handles virtual attributes context in persistent searches. An attacker could send a series of search requests, forcing the server to behave unexpectedly, and crash...

The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting (Stored/Persistent)

Description The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting Stored/Persistent. Steps to Reproduce: 1. First is go to the user dashboard then contacts: https://demo.modoboa.org/contacts// 2. Then Add new contact, enter the payload...

XSS in Comment Faq news username parameter

Description Stored Cross-Site Scripting XSS is a type of security vulnerability that occurs when an attacker injects malicious code into a website that is then stored on the server and served to unsuspecting users. This type of XSS is particularly dangerous because it can persist and continue to...

Solving one of NOBELIUM’s most novel attacks: Cyberattack Series

Our story begins with eight Microsoft Detection and Response Team DART analysts gathered around a customer’s conference room to solve a cybersecurity mystery. Joined by members of the customer’s cybersecurity team, they were there to figure out how a Russia-based nation-state hacking group known ...

Cross site scripting

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...

CVE-2023-24814 Persisted Cross-Site Scripting in Frontend Rendering in typo3

TYPO3 is a free and open source Content Management Framework released under the GNU General Public License. In affected versions the TYPO3 core component GeneralUtility::getIndpEnv uses the unfiltered server environment variable PATHINFO, which allows attackers to inject malicious content. In...