CVE-2023-6542

Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL...

PT-2023-31146 · Microsoft · Asp.Net

Name of the Vulnerable Software and Affected Versions: Umbraco versions 7.0.0 through 7.15.10 Umbraco versions 8.0.0 through 8.18.8 Umbraco versions 10.0.0 through 10.6.9 Umbraco versions 11.0.0 through 11.4.9 Umbraco versions 12.0.0 through 12.1.9 Description: Umbraco is an ASP.NET content...

CVE-2023-50465

A stored cross-site scripting XSS vulnerability exists in Monica aka MonicaHQ 4.0.0 via an SVG document uploaded by an authenticated user...

MonicaHQ Security Breach

MonicaHQ is a relationship management system from MonicaHQ, Inc. A security vulnerability exists in MonicaHQ version 4.0.0. An attacker can exploit this vulnerability to upload SVG documents that contain cross-site scripting vulnerabilities...

PT-2023-9161 · Ghost · Ghost

Name of the Vulnerable Software and Affected Versions: Ghost versions prior to 5.76.0 Description: The issue is related to the lack of protection of the web page structure, allowing a remote attacker to conduct a cross-site scripting XSS attack by sending a specially crafted malicious SVG file...

DEBIAN-CVE-2023-49465

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derivespatiallumavectorprediction function at motion.cc...

UBUNTU-CVE-2023-49465

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derivespatiallumavectorprediction function at motion.cc...

curl: cookie injection with none file

A flaw was found in the Curl package. This flaw allows an attacker to insert cookies into a running program using libcurl if the specific series of conditions are met...

Cross-site Scripting (XSS)

Overview Squidex.ClientLibrary is a ClientLibrary for Squidex Headless CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS due an incomplete blacklist in the SVG inspection process. An attacker can inject malicious JavaScript via the SRC attribute of an IFRAME elemen...

squidex 跨站脚本漏洞

squidex is a Headless CMS and content management center. A cross-site scripting vulnerability exists in Squidex versions prior to 7.9.0, which stems from the presence of an incomplete blacklist in the SVG check, and can be exploited by an attacker to conduct a cross-site scripting attack via the...

CVE-2023-49465

Libde265 v1.0.14 was discovered to contain a heap-buffer-overflow vulnerability in the derivespatiallumavectorprediction function at motion.cc...

CVE-2023-43628

An integer underflow vulnerability exists in the NTRIP Stream Parsing functionality of GPSd 3.25.1dev. A specially crafted network packet can lead to memory corruption. An attacker can send a malicious packet to trigger this vulnerability...

CVE-2023-48863

SEMCMS 3.9 is vulnerable to SQL Injection. Due to the lack of security checks on the input of the application, the attacker uses the existing application to inject malicious SQL commands into the background database engine for execution, and sends some attack codes as commands or query statements...

WordPress plugin Uploading SVG, WEBP and ICO files security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A security vulnerability exists in the...

DEBIAN-CVE-2023-49081

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Improper validation made it possible for an attacker to modify the HTTP request e.g. to insert a new header or create a new HTTP request if the attacker controls the HTTP version. The vulnerability only occurs if the...

USN-6527-1 openjdk-17, openjdk-21, openjdk-lts vulnerabilities

Carter Kozak discovered that OpenJDK, when compiling with AVX-512 instruction support enabled, could produce code that resulted in memory corruption in certain situations. An attacker targeting applications built in this way could possibly use this to cause a denial of service or execute arbitrar...

Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Apache ZooKeeper

Summary IBM Watson Discovery Cartridge for IBM Cloud Pak for Data contains a vulnerable version of Apache ZooKeeper. Vulnerability Details CVEID: CVE-2023-44981 DESCRIPTION: Apache ZooKeeper could allow a remote attacker to bypass security restrictions, caused by a flaw when SASL Quorum Peer...

October Cross-Site Scripting Vulnerability

October is an open source content management system CMS and web platform from October. A cross-site scripting vulnerability exists in October versions 3.0 through 3.5.2, which originates when SVG files are supported, and allows a user with access to the Media Manager, where SVG files are stored, ...

PT-2023-29218 · October · October

Name of the Vulnerable Software and Affected Versions: October versions prior to 3.5.2 Description: A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. T...

hw: Intel: Gather Data Sampling (GDS) side channel vulnerability

A Gather Data Sampling GDS transient execution side-channel vulnerability was found affecting certain Intel processors. This issue may allow a local attacker using gather instruction load from memory to infer stale data from previously used vector registers on the same physical core...