ha-mcp has XSS via Unescaped HTML in OAuth Consent Form

Summary The ha-mcp OAuth consent form renders user-controlled parameters via Python f-strings with no HTML escaping. An attacker who can reach the OAuth endpoint and convince the server operator to follow a crafted authorization URL could execute JavaScript in the operator's browser. This affects...

EUVD-2024-45922

Malicious code in bioql PyPI...

PT-2024-38383 · WordPress · Wpcom Member

Name of the Vulnerable Software and Affected Versions: WPCOM Member plugin for WordPress versions up to 1.5.2.1 Description: The issue is due to the plugin allowing arbitrary data to be passed to wp insert user during registration, making it possible for unauthenticated attackers to update their...

CVE-2024-7700

A command injection flaw was found in the "Host Init Config" template in the Foreman application via the "Install Packages" field on the "Register Host" page. This flaw allows an attacker with the necessary privileges to inject arbitrary commands into the configuration, potentially allowing...

Nextcloud Access Control Error Vulnerability (CNVD-2024-29657)

Nextcloud is a set of open source self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. Nextcloud suffers from an Access Control Error vulnerability that stems from a lack of access control, which can be exploited by an attacker to register an...