CVE-2024-56510

Marp Core vulnerability CVE-2024-56510 affects Marp Core versions from v3.0.2 to v3.9.0 and v4.0.0, where improper neutralization of HTML sanitization leads to Cross-Site Scripting (XSS). The issue is addressed in Marp Core v3.9.1 and v4.0.1. If immediate upgrading is not feasible, a workaround i...

Cross Site Scripting (XSS) vulnerability while uploading content to a new deployment

A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker or insider may execute a malicious payload which could trigger an undesired behavior against the server. Impact Cross-site scripting XSS vulnerability in the...

Cross-site Scripting vulnerability in SimpleXLSXEx::readThemeColors, SimpleXLSXEx::getColorValue and SimpleXLSX::toHTMLEx

Impact When calling the extended toHTMLEx method, it is possible to execute arbitrary JavaScript code. Patches The supplied patch resolves this vulnerability for SimpleXLSX. Use 1.1.13 Workarounds Don't use data publication via toHTMLEx This vulnerability was discovered by Aleksey Solovev Positiv...

GHSA-QF5V-RP47-55GG Path Traversal in file update API in gogs

Impact The malicious user is able to write a file to an arbitrary path on the server to gain SSH access to the server. Patches Writing files outside repository Git directory has been prohibited via the repository file update API https://github.com/gogs/gogs/pull/7859. Users should upgrade to 0.13...

CVE-2024-12635

CVE-2024-12635 concerns the WP Docs plugin for WordPress. The vulnerability is a time-based SQL Injection via the dir_id parameter in all versions up to and including 2.2.0, caused by insufficient escaping in the user-supplied input and inadequate preparation in the SQL query. It allows authentic...

CVE-2024-51479 Authorization bypass in Next.js

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For...

CVE-2024-51479 Authorization bypass in Next.js

Next.js is a React framework for building full-stack web applications. In affected versions if a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed for pages directly under the application's root directory. For...

CVE-2024-55661

CVE-2024-55661 affects Laravel Pulse prior to 1.3.1. The vulnerability is triggered via the remember(callable $query, string $key = '') method in Laravel\Pulse\Livewire\Concerns\RemembersQueries, which allows an authenticated dashboard user to invoke arbitrary callables (functions or static metho...

CVE-2024-54139

Combodo iTop is affected by a cross-site scripting (XSS) vulnerability that can lead to cross-site request forgery (CSRF) via the _table_id parameter. Impact is described as high/critical in CVE sources. Affected versions: prior to 2.7.11, 3.1.2, and 3.2.0. Patches are available in versions 2.7.1...

CVE-2024-10783 MainWP Child <= 5.2 - Missing Authorization to Unauthenticated Privilege Escalation

The MainWP Child – Securely Connects to the MainWP Dashboard to Manage Multiple Sites plugin for WordPress is vulnerable to privilege escalation due to a missing authorization checks on the registersite function in all versions up to, and including, 5.2 when a site is left in an unconfigured stat...

XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

Impact Any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document Scheduler.WebHome in a subwiki. Then, click on any operation e.g., Trigger on any job. If the operation is successful...

GHSA-2R87-74CX-2P7C XWiki allows remote code execution from account through macro descriptions and XWiki.XWikiSyntaxMacrosList

Impact Any user with an account can perform arbitrary remote code execution by adding instances of XWiki.WikiMacroClass to any page. This compromises the confidentiality, integrity and availability of the whole XWiki installation. To reproduce on a instance, as a connected user without script nor...

CVE-2024-55876 XWiki's scheduler in subwiki allows scheduling operations for any main wiki user

XWiki Platform is a generic wiki platform. Starting in version 1.2-milestone-2 and prior to versions 15.10.9 and 16.3.0, any user with an account on the main wiki could run scheduling operations on subwikis. To reproduce, as a user on the main wiki without any special right, view the document...

CVE-2024-55662 XWiki allows remote code execution through the extension sheet

XWiki Platform is a generic wiki platform. Starting in version 3.3-milestone-1 and prior to versions 15.10.9 and 16.3.0, on instances where Extension Repository Application is installed, any user can execute any code requiring programming rights on the server. This vulnerability has been fixed in...

CVE-2024-53273

Habitica is an open-source habit-building program. Versions prior to 5.28.5 are vulnerable to reflected cross-site scripting. The register function in RegisterLoginReset.vue contains a reflected XSS vulnerability due to an incorrect sanitization function. An attacker can specify a malicious...

PT-2024-16335 · WordPress · Paid Membership Plugin

Name of the Vulnerable Software and Affected Versions: Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content WordPress plugin versions prior to 4.15.15 Description: The issue concerns the Paid Membership Plugin, Ecommerce, User Registration Form,...

CVE-2024-56651 affecting package kernel for versions less than 5.15.173.1-1

CVE-2024-56651 affecting package kernel for versions less than 5.15.173.1-1. A patched version of the package is available...

About the security content of Safari18.2

About the security content of Safari18.2 This document describes the security content of Safari 18.2. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or releases are available...

PT-2024-36966

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.74 Description A vulnerability in the Linux kernel has been resolved, related to the ALSA control, where the use of WARN for showing symlink creation errors was downgraded to dev err to avoid confusing fuzzer...

CVE-2024-55601

Hugo, a static site generator, is affected in versions 0.123.0 through 0.139.3 (prior to 0.139.4). The issue: certain HTML attributes in Markdown in internal templates are not escaped in render hooks, specifically in templates _default/_markup/render-link.html (v0.123.0), _default/_markup/render-...