SUSE-SU-2023:2078-1 Security update for webkit2gtk3

This update for webkit2gtk3 fixes the following issues: Update to version 2.38.6 bsc1210731: - CVE-2022-0108: Fixed information leak. - CVE-2022-32885: Fixed arbitrary code execution. - CVE-2023-25358: Fixed use-after-free vulnerability in WebCore::RenderLayer. - CVE-2023-27932: Fixed Same Origin...

one.wglenergy.com Cross Site Scripting vulnerability OBB-3276543

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2023-30845 ESPv2 vulnerable to JWT authentication bypass via `X-HTTP-Method-Override` header

ESPv2 is a service proxy that provides API management capabilities using Google Service Infrastructure. ESPv2 2.20.0 through 2.42.0 contains an authentication bypass vulnerability. API clients can craft a malicious X-HTTP-Method-Override header value to bypass JWT authentication in specific cases...

CVE-2023-30546 Contiki-NG has off-by-one error in Antelope DBMS

Contiki-NG is an operating system for Internet of Things devices. An off-by-one error can be triggered in the Antelope database management system in the Contiki-NG operating system in versions 4.8 and prior. The problem exists in the Contiki File System CFS backend for the storage of data file...

emacs security update

An update is available for emacs. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list GNU Emacs is a powerful, customizable, self-documenting text editor. It provide...

PT-2023-22470 · H3C · H3C Magic R200

Name of the Vulnerable Software and Affected Versions: H3C Magic R200 version R200V100R004 Description: A stack overflow issue was discovered via the SetAPWifiorLedInfoById interface at the "/goform/aspForm" API endpoint. Recommendations: For H3C Magic R200 version R200V100R004, consider disablin...

GHSA-3HJG-CGHV-22WW org.xwiki.platform:xwiki-platform-attachment-ui vulnerable to Code Injection

Impact A registered user can perform remote code execution leading to privilege escalation by injecting the proper code in the "property" field of an attachment selector, as a gadget of their own dashboard. Note that the vulnerability does not impact comments of a wiki. Patches The vulnerability...

CVE-2023-27495

@fastify/csrf-protection is a plugin which helps protect Fastify servers against CSRF attacks. The CSRF protection enforced by the @fastify/csrf-protection library in combination with @fastify/cookie can be bypassed from network and same-site attackers under certain conditions...

SUSE-SU-2023:1926-1 Security update for openssl1

This update for openssl1 fixes the following issues: - CVE-2023-0465: Invalid certificate policies in leaf certificates were silently ignored bsc1209878. - CVE-2023-0466: Certificate policy check were not enabled bsc1209873...

Improper header name validation in guzzlehttp/psr7

Impact Improper header parsing. An attacker could sneak in a newline \n into both the header names and values. While the specification states that \r\n\r\n is used to terminate the header list, many servers in the wild will also accept \n\n. Patches The issue is patched in 1.9.1 and 2.4.5...

Cross site scripting

Pay is a payments engine for Ruby on Rails 6.0 and higher. In versions prior to 6.3.2 a payments info page of Pay is susceptible to reflected Cross-site scripting. An attacker could create a working URL that renders a javascript link to a user on a Rails application that integrates Pay. This URL...

PT-2023-21341 · Unknown · Online Jewelry Shop

Name of the Vulnerable Software and Affected Versions: Online Jewelry Shop version 1.0 Description: A stored cross-site scripting XSS issue in the "/index.php?page=category list" API endpoint of Online Jewelry Shop allows attackers to execute arbitrary web scripts or HTML via a crafted payload...

CVE-2023-29513 Users can be created even when registration is disabled without validation via the template macro in xwiki-platform

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. If guest has view right on any document. It's possible to create a new user using the distribution/firstadminuser.wiki in the wrong context. This vulnerability has been patched in XWiki...

CVE-2023-30537 org.xwiki.platform:xwiki-platform-flamingo-theme-ui vulnerable to privilege escalation

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Any user with the right to add an object on a page can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper...

familienzentrum-altenhof.de Cross Site Scripting vulnerability OBB-3257099

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

ekiosku.com Cross Site Scripting vulnerability OBB-3256537

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Cross site scripting

A vulnerability was found in Broken Link Checker Plugin up to 1.10.5 on WordPress. It has been rated as problematic. Affected by this issue is the function printmodulelist/showwarningssectionnotice/statustext/uigetactionlinks. The manipulation leads to cross site scripting. The attack may be...

CVE-2023-28840

Moby is an open source container framework developed by Docker Inc. that is distributed as Docker, Mirantis Container Runtime, and various other downstream projects/products. The Moby daemon component dockerd, which is developed as moby/moby, is commonly referred to as Docker. Swarm Mode, which i...

PT-2023-15433 · WordPress · Mr Digital Simple Image Popup

Name of the Vulnerable Software and Affected Versions: Mr Digital Simple Image Popup plugin versions 1.3.6 and earlier Description: The issue is related to a Stored Cross-Site Scripting XSS vulnerability that requires authentication with admin+ privileges. Recommendations: For Mr Digital Simple...

CVE-2023-28427 Prototype pollution in matrix-js-sdk

matrix-js-sdk is a Matrix messaging protocol Client-Server SDK for JavaScript. In versions prior to 24.0.0 events sent with special strings in key places can temporarily disrupt or impede the matrix-js-sdk from functioning properly, potentially impacting the consumer's ability to process data...