21 matches found
Malicious Package
Overview jira-ticket-todo-comment is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
EUVD-2025-36808
Malicious code in jira-ticket-todo-comment npm...
Malicious code in jira-ticket-todo-comment (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 37f93f4caecf2a8d9f056f2b72cb51b1905579bf89bf8c1e994e68028c24d2c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-49015 Malicious code in jira-ticket-todo-comment (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 37f93f4caecf2a8d9f056f2b72cb51b1905579bf89bf8c1e994e68028c24d2c4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Moderate: Red Hat Bug Fix Advisory: linux-firmware bug fix and enhancement update
An update for linux-firmware is now available for Red Hat Enterprise Linux 9. The linux-firmware packages contain all of the firmware files that are required by various devices to operate. Bug Fixes and Enhancements: Update linux-firmware to latest upstream rhel-9.6.z JIRA:RHEL-108919...
GHSA-PG4M-3GP6-HW4W org.xwiki.platform:xwiki-platform-notifications-ui leaks data of notification filters of users
Impact It's possible to get access to notification filters of any user by using a URL such as xwiki/bin/get/XWiki/Notifications/Code/NotificationFilterPreferenceLivetableResults?outputSyntax=plain&type=custom&user=. This vulnerability impacts all versions of XWiki since 13.2-rc-1. The filters do...
GHSA-R95W-889Q-X2GX org.xwiki.platform:xwiki-platform-notifications-ui is missing checks for notification filter preferences editions
Impact It's possible for any user knowing the ID of a notification filter preference of another user, to enable/disable it or even delete it. The impact is that the target user might start loosing notifications on some pages because of this. This vulnerability is present in XWiki since 13.2-rc-1...
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in DeleteApplication page
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the DeleteApplication page to perform a XSS, e.g. by using URL such as:...
XWiki Platform vulnerable to reflected cross-site scripting via back and xcontinue parameters in resubmit template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as:...
GHSA-R8XC-XXH3-Q5X3 XWiki Platform vulnerable to reflected cross-site scripting via back and xcontinue parameters in resubmit template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the resubmit template to perform a XSS, e.g. by using URL such as:...
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in deletespace template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alertdocument.domain This vulnerability exists sin...
GHSA-X234-MG7Q-M8G8 XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in deletespace template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the deletespace template to perform a XSS, e.g. by using URL such as: xwiki/bin/deletespace/Sandbox/?xredirect=javascript:alertdocument.domain This vulnerability exists sin...
GHSA-PHWM-87RG-27QQ XWiki Platform vulnerable to reflected cross-site scripting via delattachment action
Impact It's possible to perform an XSS by forging a request to a delete attachment action with a specific attachment name. Now this XSS can be exploited only if the attacker knows the CSRF token of the user, or if the user ignores the warning about the missing CSRF token. Patches The vulnerabilit...
XWiki Platform vulnerable to reflected cross-site scripting via xredirect parameter in delete template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the delete template to perform a XSS, e.g. by using URL such as: xwiki/bin/get/FlamingoThemes/Cerulean?xpage=xpart&vm=delete.vm&xredirect=javascript:alertdocument.domain Th...
GHSA-Q9HG-9QJ2-MXF9 XWiki Platform vulnerable to cross-site scripting via xcontinue parameter in previewactions template
Impact Users are able to forge an URL with a payload allowing to inject Javascript in the page XSS. It's possible to exploit the previewactions template to perform a XSS, e.g. by using URL such as:...
GHSA-6GVJ-8VC5-8V3J org.xwiki.platform:xwiki-platform-oldcore Open Redirect vulnerability
Impact It's possible to exploit well known parameters in XWiki URLs to perform redirection to untrusted site. This vulnerability was partially fixed in the past for XWiki 12.10.7 and 13.3RC1 but there is still the possibility to force specific URLs to skip some checks, e.g. using URLs like...
Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer
Impact The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine e.g. tomcat running XWiki. The same vulnerability also allowed to...
GHSA-M3C3-9QJ7-7XMX Exposure of Sensitive Information to an Unauthorized Actor in org.xwiki.platform:xwiki-platform-office-viewer
Impact The office document viewer macro was allowing anyone to see any file content from the hosting server, provided that the office server was connected and depending on the permissions of the user running the servlet engine e.g. tomcat running XWiki. The same vulnerability also allowed to...
GHSA-VVP7-R422-RX83 Unauthenticated user can have information about hidden users on subwikis through uorgsuggest.vm
Impact It's possible to list some users who are normally not viewable from subwiki by requesting users on a subwiki which allows only global users with uorgsuggest.vm. This issue only concerns hidden users from main wiki. Note that the disclosed information are the username and the first and last...
CVE-2022-22932
CVE-2022-22932 affects Apache Karaf via partial path traversal in obr:* commands and the karaf-maven-plugin run goal, which could allow breaking out of the designated folder. The issue is considered low risk in the public description, since obr:* usage is limited and the entry is user-controlled....