Improper header name validation in guzzlehttp/psr7

Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.9.1 and 2.4.5...

Cross site scripting

Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. This URL...

PT-2023-21341 · Unknown · Online Jewelry Shop

Name of the Vulnerable Software and Affected Versions: Online Jewelry Shop version 1.0 Description: A stored cross-site scripting XSS issue in the "/index.php?page=category list" API endpoint of Online Jewelry Shop allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2023-29513 Users can be created even when registration is disabled without validation via the template macro in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the distribution/firstadminuser.wiki in the wrong context. This vulnerability has been patched in XWiki...

CVE-2023-30537 org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper...

familienzentrum-altenhof.de Cross Site Scripting vulnerability OBB-3257099

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

ekiosku.com Cross Site Scripting vulnerability OBB-3256537

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Cross site scripting

A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. It has been rated as problematic. Affected by this issue is the function printmodulelist/showwarningssectionnotice/statustext/uigetactionlinks. The manipulation leads to cross site scripting. The attack may be...

CVE-2023-28840

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component dockerd, which is developed as moby/moby, is commonly referred to as Docker. Swarm Mode, which i...

PT-2023-15433 · WordPress · Mr Digital Simple Image Popup

Name of the Vulnerable Software and Affected Versions: Mr Digital Simple Image Popup plugin versions 1.3.6 and earlier Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that requires authentication with admin+ privileges. Recommendations: For Mr Digital Simple...

CVE-2023-28427 Prototype pollution in matrix-js-sdk

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data...

externclub.com Cross Site Scripting vulnerability OBB-3230128

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2023-25820 Nextcloud Server and Enterprise Server missing brute force protection on password confirmation modal

Nextcloud Server is the file server software for Nextcloud, a self-hosted productivity platform, and Nextcloud Enterprise Server is the enterprise version of the file server software. In Nextcloud Server versions 25.0.x prior to 25.0.5 and versions 24.0.x prior to 24.0.10 as well as Nextcloud...

CVE-2023-28107 Discourse vulnerable to multisite DoS by spamming backups

Discourse is an open-source discussion platform. Prior to version 3.0.2 of the stable branch and version 3.1.0.beta3 of the beta and tests-passed branches, a user logged as an administrator can request backups multiple times, which will eat up all the connections to the DB. If this is done on a...

LockBit ransomware attacks Essendant

The LockBit ransomware group is claiming responsibility for taking down a US-based distributor of office products called Essendant. This attack, which is said to have begun on or around March 6, created severe ramifications for the organisation, disrupting freight carrier pickups, online orders,...

Ransomware attack hits ANOTHER school

In what is likely Vice Society's handiwork, the UK's largest state boarding school Wymondham College has announced it has become the victim of a "sophisticated cyberattack". The school didn't provide additional information, but Jonathan Taylor, chief of the school's parent company Sapientia...

CLSA-2023-1678820123 Fix CVE(s): CVE-2023-1175

SECURITY UPDATE: Illegal memory access when using virtual editing - debian/patches/CVE-2023-1175: Make sure "startspaces" is not negative - CVE-2023-1175...

Security Bulletin: There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2022-40705)

Summary There is a security vulnerability in Apache SOAP used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2022-40705 DESCRIPTION: Apache SOAP is vulnerable to an XML external entity injection XXE attack when processing XML data, caused by a...

PT-2023-20455 · Xwiki · Xwiki Commons

Name of the Vulnerable Software and Affected Versions: XWiki Commons versions 3.1-milestone-1 through 13.10.8 XWiki Commons versions 14.0.0 through 14.4.3 XWiki Commons versions 14.5.0 through 14.7RC0 Description: The issue allows any user to edit their own profile and inject code, which is...

CVE-2022-32836

This issue was addressed with improved state management. This issue is fixed in Apple Music 3.9.10 for Android. An app may be able to access user-sensitive data...