Lucene search
K

3221 matches found

CVE
CVE
added 2024/09/24 9:17 p.m.71 views

CVE-2024-8291

Concrete CMS stores stored XSS in the Image Editor background color feature (Thumbnails/Add-Type). Affected versions are 9.0.0–9.3.3 and below 8.5.19. The root cause is input that can inject malicious code via the Background Color field, exploitable by a rogue admin (privileges HIGH, UI not requi...

5.1CVSS5AI score0.00503EPSS
Exploits0References4Affected Software1
RubySec
RubySec
added 2024/09/19 12:0 a.m.24 views

protobuf-java has potential Denial of Service issue

Summary When parsing unknown fields in the Protobuf Java Lite and Full library, a maliciously crafted message can cause a StackOverflow error and lead to a program crash. Reporter: Alexis Challande, Trail of Bits Ecosystem Security Team Affected versions: This issue affects all versions of both t...

8.7CVSS6.6AI score0.02772EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2024/09/17 6:13 p.m.29 views

CVE-2024-8660 Stored XSS in the "Top Navigator Bar" block

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the ho...

4.6CVSS0.00273EPSS
Exploits0References2
OSV
OSV
added 2024/09/17 6:13 p.m.10 views

CVE-2024-8660 Stored XSS in the "Top Navigator Bar" block

Concrete CMS versions 9.0.0 through 9.3.3 are affected by a stored XSS vulnerability in the "Top Navigator Bar" block. Since the "Top Navigator Bar" output was not sufficiently sanitized, a rogue administrator could add a malicious payload that could be executed when targeted users visited the ho...

4.6CVSS6AI score0.00273EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2024/09/10 11:20 a.m.20 views

Shining a Light on Shadow Apps: The Invisible Gateway to SaaS Data Breaches

Shadow apps, a segment of Shadow IT, are SaaS applications purchased without the knowledge of the security team. While these applications may be legitimate, they operate within the blind spots of the corporate security team and expose the company to attackers. Shadow apps may include instances of...

7AI score
Exploits0
OSV
OSV
added 2024/08/16 6:45 p.m.10 views

GHSA-VWF8-Q6FW-4WCM Cilium leaks information via incorrect ReferenceGrant update logic in Gateway API

Impact Due to ReferenceGrant changes not being immediately propagated in Cilium's GatewayAPI controller, Gateway resources are able to access secrets in other namespaces after the associated ReferenceGrant has been revoked. This can lead to Gateways continuing to establish sessions using secrets...

5.4CVSS4.6AI score0.00573EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2024/08/09 12:37 a.m.15 views

CVE-2024-4350 Concrete CMS version 9 below 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave...

5.1CVSS5AI score0.00464EPSS
Exploits0References4
Cvelist
Cvelist
added 2024/08/09 12:37 a.m.55 views

CVE-2024-4350 Concrete CMS version 9 below 9.3.3 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer

Concrete CMS versions 9.0.0 to 9.3.2 and below 8.5.18 are vulnerable to Stored XSS in RSS Displayer when user input is stored and later embedded into responses. A rogue administrator could inject malicious code into fields due to insufficient input validation. The Concrete CMS security team gave...

5.1CVSS0.00464EPSS
Exploits0References4
OSV
OSV
added 2024/08/09 12:19 a.m.15 views

CVE-2024-7512 Concrete CMS Stored XSS in Board instances

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in Board instances. A rogue administrator could inject malicious code. The Concrete CMS security team gave this vulnerability a CVSS 4.0 Score of 4.6 with vector:...

4.6CVSS6AI score0.00375EPSS
Exploits0References5
MSRC
MSRC
added 2024/08/05 7:0 a.m.344 views

Microsoft Bounty Program Year in Review: $16.6M in Rewards

We are excited to announce that this year the Microsoft Bounty Program has awarded $16.6M in bounty awards to 343 security researchers from 55 countries, securing Microsoft customers in partnership with the Microsoft Security Response Center MSRC. Each year we identify over a thousand potential...

7.3AI score
Exploits0
Github Security Blog
Github Security Blog
added 2024/08/01 9:31 p.m.15 views

Concrete CMS vulnerable to Stored Cross-site Scripting

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concret...

4.8CVSS5.7AI score0.00302EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2024/08/01 9:31 p.m.49 views

GHSA-3CPF-JMMC-8JM3 Concrete CMS vulnerable to Stored Cross-site Scripting

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator hav the capability to inject malicious JavaScript code. The Concret...

4.6CVSS4.7AI score0.00302EPSS
Exploits0References5
NVD
NVD
added 2024/08/01 7:15 p.m.37 views

CVE-2024-4353

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concre...

4.8CVSS0.00302EPSS
Exploits0References2
OSV
OSV
added 2024/08/01 6:23 p.m.20 views

CVE-2024-4353 Stored XSS in Generate Board Name Input Field

Concrete CMS versions 9.0.0 through 9.3.2 are affected by a stored XSS vulnerability in the generate dashboard board instance functionality. The Name input field does not check the input sufficiently letting a rogue administrator have the capability to inject malicious JavaScript code. The Concre...

4.6CVSS6AI score0.00302EPSS
Exploits0References5
Patchstack
Patchstack
added 2024/06/25 7:30 a.m.4 views

WordPress Core < 6.5.5 - Contributor+ Stored Cross-Site Scripting via HTML API

Contributor+ Stored Cross-Site Scripting via HTML API vulnerability discovered by WordPress Security Team in WordPress core versions 6.5.5...

6.4CVSS5.7AI score0.00467EPSS
Exploits0References1Affected Software1
Patchstack
Patchstack
added 2024/06/25 12:0 a.m.8 views

WordPress is vulnerable to Cross Site Scripting (XSS)

Software WordPress Type WordPress Core Vulnerable versions 6.5.5 Fixed in 6.5.5 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE N/A Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8d0f5e61a452 Credits WordPress Security Team Required privilege...

6.9AI score
Exploits0References2Affected Software1
OSV
OSV
added 2024/06/17 10:30 p.m.23 views

GHSA-64JQ-M7RQ-768H Rancher's External RoleTemplates can lead to privilege escalation

Impact A vulnerability has been identified whereby privilege escalation checks are not properly enforced for RoleTemplateobjects when external=true, which in specific scenarios can lead to privilege escalation. The bug in the webhook rule resolver ignores rules from a ClusterRole for external...

7.5CVSS6.7AI score0.00539EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2024/05/30 12:35 p.m.21 views

Symfony2 improper IP based access control

Damien Tournoud, from the Drupal security team, contacted us two days ago about a security issue in the Request::getClientIp method when the trust proxy mode is enabled Request::trustProxyData. An application is vulnerable if it uses the client IP address as returned by the Request::getClientIp...

7.1AI score
Exploits0References5Affected Software1
Wallarm Lab
Wallarm Lab
added 2024/05/20 2:44 p.m.36 views

Dell Data Breach: Personal Information of 49 Million Customers Compromised due to latest API Abuse

Dell recently issued a notice regarding a data breach that occurred on May 9, which has reportedly affected over 49 million customers across the globe. According to a report by BleepingComputer, Dell initiated the distribution of notifications cautioning its customers that their personally...

10CVSS7.8AI score0.99999EPSS
Exploits47
Github Security Blog
Github Security Blog
added 2024/05/14 8:13 p.m.33 views

TYPO3 vulnerable to an Uncontrolled Resource Consumption in the ShowImageController

Problem The ShowImageController eID txcmsshowpic lacks a cryptographic HMAC-signature on the frame HTTP query parameter e.g. /index.php?eID=txcmsshowpic?file=3&...&frame=12345. This allows adversaries to instruct the system to produce an arbitrary number of thumbnail images on the server side...

5.3CVSS5.4AI score0.0047EPSS
Exploits0References7Affected Software1
Rows per page
Query Builder