CVE-2022-24239

ACEweb Online Portal 3.5.065 was discovered to contain an unrestricted file upload vulnerability via attachments.awp...

ACEware Systems ACEweb Online Portal 代码问题漏洞

ACEware Systems ACEweb Online Portal is a component of the Student Manager solution from ACEware Systems. A security vulnerability exists in ACEware Systems ACEweb Online Portal version 3.5.065. An attacker has exploited this vulnerability to create an unrestricted file upload vulnerability via...

ACEware Systems ACEweb Online Portal 安全漏洞

ACEware Systems ACEweb Online Portal is a component of the Student Manager solution from ACEware Systems, Inc. A security vulnerability exists in ACEware Systems ACEweb Online Portal version 3.5.065, which stems from the discovery that ACEweb Online Portal 3.5.065 contains an external controlled...

Lack of check could cause lose of user funds

Lines of code Vulnerability details Impact The increaseamount function is currently missing check for attachments and voted. Any amount provided will get added to existing amount. The increased amount will get stuck during withdraw if attachmentstokenId != 0 or votedtokenId Proof of Concept 1. Us...

GHSA-XJMX-CPRH-646R MantisBT unauthorized users able to access private files

An issue was discovered in filedownload.php in MantisBT before 2.24.3. Users without access to view private issue notes are able to download the supposedly private attachments linked to these notes by accessing the corresponding file download URL directly...

Mattermost Server is vulnerable to XSS through author_link field in Slack attachments

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the authorlink field of a Slack attachment...

GHSA-498J-WXWW-J897 Mattermost Server is vulnerable to XSS through author_link field in Slack attachments

An issue was discovered in Mattermost Server before 4.3.0, 4.2.1, and 4.1.2. XSS could occur via the authorlink field of a Slack attachment...

Moodle Email media URL tokens were not checking for user status

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...

GHSA-774Q-WFCP-VC2Q Moodle Email media URL tokens were not checking for user status

A vulnerability was found in Moodle 3.6 before 3.6.7 and 3.7 before 3.7.3, where tokens used to fetch inline atachments in email notifications were not disabled when a user's account was no longer active. Note: to access files, a user would need to know the file path, and their token...

phpBB Cross-Site Request Forgery (CSRF)

Missing form token validation in phpBB 3.2.7 allows CSRF in deleting post attachments...

GHSA-9CG4-4F87-JHM3 Moodle XSS in attachments to evidence of prior learning

In Moodle 3.x, XSS can occur via attachments to evidence of prior learning...

Moodle XSS in attachments to evidence of prior learning

In Moodle 3.x, XSS can occur via attachments to evidence of prior learning...

MantisBT XSS via move_attachments_page.php

A cross-site scripting XSS vulnerability in the MantisBT Move Attachments page moveattachmentspage.php, part of admin tools allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection CSP settings allows it. This is fixed in 1.3.9, 2.1.3, an...

GHSA-X53V-V9XP-GF6G MantisBT XSS via move_attachments_page.php

A cross-site scripting XSS vulnerability in the MantisBT Move Attachments page moveattachmentspage.php, part of admin tools allows remote attackers to inject arbitrary code through a crafted 'type' parameter, if Content Security Protection CSP settings allows it. This is fixed in 1.3.9, 2.1.3, an...

Cross-site Scripting (XSS)

Overview mantisbt/mantisbt is a mantis bug tracker. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the moveattachmentspage.php. An attacker can inject arbitrary web script or HTML by manipulating the 'type' parameter. This is only exploitable if Content Security...

Croogo vulnerable to Cross-site Scripting in title field

A stored self-XSS exists in Croogo before v3.0.7, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4...

GHSA-Q5FG-V5P7-R424 Croogo vulnerable to Cross-site Scripting in title field

A stored self-XSS exists in Croogo before v3.0.7, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4...

“Chemical attack” email warnings deliver Jester Stealer malware

Jester Stealer, a malicious file capable of large amounts of data theft, is on the prowl again. The Ukrainian Computer Emergency Response Team CERT-UA has warned of a large distribution campaign abusing a "chemical attack" theme. Receiving an email like this in the invasion-affected regions of...

[SECURITY] Fedora 36 Update: containerd-1.6.2-2.fc36

Containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision...

[SECURITY] Fedora 36 Update: containerd-1.6.2-1.fc36

Containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Linux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision...