CVE-2024-28234 Contao has insufficient BBCode sanitizer

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

CVE-2024-28234

Contao is affected when BBCode is enabled for comments, allowing CSS injection via BBCode in user comments. The issue affects Contao 2.0.0 and earlier, and versions prior to 4.13.40 and 5.3.4. Patch versions are Contao 4.13.40 and 5.3.4, which fix the vulnerability. As a workaround, disable BBCod...

CVE-2024-28234 Contao has insufficient BBCode sanitizer

Contao is an open source content management system. Starting in version 2.0.0 and prior to versions 4.13.40 and 5.3.4, it is possible to inject CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled. Contao versions 4.13.40 and 5.3.4 have a patch for this issue. A...

Contao 安全漏洞

Contao is an open source content management system CMS developed in PHP. The system supports search engines, rights management, and CSS frameworks. A security vulnerability exists in Contao version 4.x prior to version 4.13.40 and version 5.x prior to version 5.3.4, which stems from the ability t...

Insufficient BBCode sanitization

Date : 2024-04-09 CVE ID : CVE-2024-28234 If BBCode is enabled for comments, users can inject CSS styles. Affected versions Contao 4.0 Contao 4.1 Contao 4.2 Contao 4.3 Contao 4.4 Contao 4.5 Contao 4.6 Contao 4.7 Contao 4.8 Contao 4.9 Contao 4.10 Contao 4.11 Contao 4.12 Contao 4.13 up to 4.13.39...

PT-2024-22349 · Contao · Contao

Name of the Vulnerable Software and Affected Versions: Contao versions 2.0.0 through 4.13.39 Contao versions 5.0.0 through 5.3.3 Description: The issue allows injection of CSS styles via BBCode in comments. Installations are only affected if BBCode is enabled for comments. Recommendations: For...

Security Vulnerability of HTML Emails

This is a newly discovered email vulnerability: The email your manager received and forwarded to you was something completely innocent, such as a potential customer asking a few questions. All that email was supposed to achieve was being forwarded to you. However, the moment the email appeared in...

disletouthaut.fr Cross Site Scripting vulnerability OBB-3904707

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

WordPress Spectra plugin <= 2.10.3 - Authenticated(Contributor+) Cross-Site Scripting via Custom CSS vulnerability

AuthenticatedContributor+ Cross-Site Scripting via Custom CSS vulnerability discovered by Akbar Kustirama in WordPress Plugin Spectra versions = 2.10.3...

proshop-fujioka.co.jp Cross Site Scripting vulnerability OBB-3890240

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

ROS-20240328-08

A vulnerability in the WebRTC technology of Google Chrome browser is related to the use of memory after its freeing. Exploitation of the vulnerability could allow a remote attacker to execute arbitrary code or cause a denial of service using specially crafted malware. arbitrary code or cause a...

[SECURITY] Fedora 40 Update: weasyprint-61.2-1.fc40

WeasyPrint can render HTML and CSS to PDF. It aims to support web standards for printing...

Grav File Upload Path Traversal

Summary Grav is vulnerable to a file upload path traversal vulnerability, that can allow an adversary to replace or create files with extensions such as .json, .zip, .css, .gif, etc. This vulnerabiltiy can allow attackers to inject arbitrary code on the server, undermine integrity of backup files...

CVE-2024-27921

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw pose...

CVE-2024-27921 Grav File Upload Path Traversal vulnerability

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw pose...

CVE-2024-27921 Grav File Upload Path Traversal vulnerability

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw pose...

CVE-2024-27921 Grav File Upload Path Traversal vulnerability

Grav is an open-source, flat-file content management system. A file upload path traversal vulnerability has been identified in the application prior to version 1.7.45, enabling attackers to replace or create files with extensions like .json, .zip, .css, .gif, etc. This critical security flaw pose...

MAL-2024-1102 Malicious code in r101-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04fdb7d31fd1d035cfcc20972fe3adcd5bf484b9a3427b495018e3ae9b9b62ac Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in r101-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04fdb7d31fd1d035cfcc20972fe3adcd5bf484b9a3427b495018e3ae9b9b62ac Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Inline Related Posts < 3.5.0 - Admin+ Stored XSS

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as Admin to perform Cross-Site Scripting attacks even when unfilteredhtml is disallowed Put the following payload in the CSS margin-top settings: 0 em" onmouseover=alert/XSS/// Th...