424 matches found
CVE-2024-41709
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission...
CVE-2024-41709
Backdrop CMS before 1.27.3 and 1.28.x before 1.28.2 does not sufficiently sanitize field labels before they are displayed in certain places. This vulnerability is mitigated by the fact that an attacker must have a role with the "administer fields" permission...
Open Redirect
Drupal's path module is vulnerable to a Open Redirect. The vulnerability is due to improper URL handling which allows users with 'administer paths' permissions to create URLs that redirect to malicious sites...
Drupal External URL injection through URL aliases leading to Open Redirect
The path module in Drupal allows users with the 'administer paths' to create pretty URLs for content. In certain circumstances the user can enter a particular path that triggers an open redirect to a malicious url...
PT-2024-40158 · Drupal · Drupal
Name of the Vulnerable Software and Affected Versions: Drupal affected versions not specified Description: The issue concerns the path module in Drupal, which allows users with the 'administer paths' permission to create pretty URLs for content. Under certain circumstances, a user can enter a...
CVE-2024-29008 Apache CloudStack: The extraconfig feature can be abused to load hypervisor resources on a VM instance
A problem has been identified in the CloudStack additional VM configuration extraconfig feature which can be misused by anyone who has privilege to deploy a VM instance or configure settings of an already deployed VM instance, to configure additional VM configuration even when the feature is not...
CVE-2024-3181 Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field.
Concrete CMS version 9 prior to 9.2.8 and previous versions prior to 8.5.16 are vulnerable to Stored XSS in the Search Field. Prior to the fix, stored XSS could be executed by an administrator changing a filter to which a rogue administrator had previously added malicious code. The Concrete CMS...
CVE-2024-25652
In Delinea PAM Secret Server 11.4, it is possible for a user assigned "Administer Reports" permission and/or with access to Report functionality via UNLIMITED ADMIN MODE with access to the Report functionality to gain unauthorized access to remote sessions created by legitimate users through...
Directory traversal
XenForo before 2.2.14 allows Directory Traversal with write access by an authenticated user who has permissions to administer styles, and uses a ZIP archive for Styles Import...
DRUPAL-CONTRIB-2024-011
The Coffee module helps you to navigate through the Drupal admin menus faster with a shortcut popup. The module doesn't sufficiently escape menu names when displaying them in the popup, thereby exposing a XSS vulnerability. This vulnerability is mitigated by the fact that an attacker must have a...
Jenkins NeuVector Vulnerability Scanner Plugin Cross-Site Request Forgery vulnerability
Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password...
Jenkins Build Failure Analyzer Plugin missing permission check
Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, th...
Jenkins Build Failure Analyzer Plugin Cross-Site Request Forgery vulnerability
Jenkins Build Failure Analyzer Plugin 2.4.1 and earlier does not perform a permission check in a connection test HTTP endpoint. This allows attackers with Overall/Read permission to connect to an attacker-specified hostname and port using attacker-specified username and password. Additionally, th...
DRUPAL-CONTRIB-2023-033
This module enables you to add the Matomo web statistics tracking system to your website. The module does not check the Matomo JS code loaded on the website. So a user could configure the module to load JS from a malicious website. This vulnerability is mitigated by the fact that an attacker must...
Jenkins SAML Single Sign On(SSO) Plugin missing permission check
Jenkins SAML Single Sign OnSSO Plugin 2.3.0 and earlier does not perform a permission check in an HTTP endpoint. This allows attackers with Overall/Read permission to download a string representation of the current security realm Java ObjecttoString, which potentially includes sensitive...
DRUPAL-CONTRIB-2023-029
This module enables sites to comply with the European cookie law using tarteaucitron.js. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The...
DRUPAL-CONTRIB-2023-024
This module enables you to create dynamic layouts and add sample color palettes for color selection hints via its UI. The module doesn't sufficiently sanitize the module's settings in certain scenarios leading to a Cross Site Scripting vulnerability. This vulnerability is mitigated by the fact th...
DRUPAL-CONTRIB-2023-023
This module enables you to define configurable GDPR alert messages. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that an attacker needs additional permissions. The vulnerability can be...
DRUPAL-CONTRIB-2023-021
CivicCookieControl is a module that can help make a website compliant with EU and UK cookie legislation. The Civic GovUK Cookie Control module does not sufficiently sanitize the configuration resulting in a Cross-Site Scripting XSS vulnerability. This vulnerability is mitigated by the fact that t...
DRUPAL-CONTRIB-2023-020
This module enables you to define a 'weekly office hours' field type, and add a field to any Content type, in order to display the weekly opening hours for a location. The module doesn't sufficiently filter user-supplied text leading to a Cross Site Scripting XSS vulnerability. This vulnerability...