» 2020 » 12월

CVE-2020-5809

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-5809

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user can inject arbitrary JavaScript code into iframes when editing content using the TinyMCE rich-text editor, as TinyMCE is configured to allow iframes by default in Umbraco CMS.

Source: CVE-2020-5809

CVE-2020-5810

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-5810

A stored XSS vulnerability exists in Umbraco CMS <= 8.9.1 or current. An authenticated user authorized to upload media can upload a malicious .svg file which act as a stored XSS payload.

Source: CVE-2020-5810

CVE-2020-35241

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-35241

FlatPress 1.0.3 is affected by cross-site scripting (XSS) in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in Blog content via the admin panel. Each time any user will go to that blog page, the XSS triggers and the attacker can steal the cookie according to the crafted payload.

Source: CVE-2020-35241

CVE-2020-35240

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-35240

FluxBB 1.5.11 is affected by cross-site scripting (XSS in the Blog Content component. This vulnerability can allow an attacker to inject the XSS payload in "Blog Content" and each time any user will visit the blog, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

Source: CVE-2020-35240

CVE-2020-29233

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-29233

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Page description component. This vulnerability can allow an attacker to inject the XSS payload in the Page description and each time any user will visits the website, the XSS triggers and attacker can steal the cookie according to the crafted payload.

Source: CVE-2020-29233

CVE-2020-29477

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-29477

Invision Community 4.5.4 is affected by cross-site scripting (XSS) in the Field Name field. This vulnerability can allow an attacker to inject the XSS payload in Field Name and each time any user will open that, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.

Source: CVE-2020-29477

CVE-2020-29469

Posted on 2020년 12월 31일2020년 12월 31일 by admin

CVE-2020-29469

WonderCMS 3.1.3 is affected by cross-site scripting (XSS) in the Menu component. This vulnerability can allow an attacker to inject the XSS payload in the Setting – Menu and each time any user will visits the website directory, the XSS triggers and attacker can steal the cookie according to the crafted payload.

Source: CVE-2020-29469

CVE-2020-29594

Posted on 2020년 12월 30일2020년 12월 30일 by admin

CVE-2020-29594

Rocket.Chat before 0.74.4, 1.x before 1.3.4, 2.x before 2.4.13, 3.x before 3.7.3, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 mishandles SAML login.

Source: CVE-2020-29594

CVE-2020-35850

Posted on 2020년 12월 30일2020년 12월 30일 by admin

CVE-2020-35850

** DISPUTED ** An SSRF issue was discovered in cockpit-project.org Cockpit 234. NOTE: this is unrelated to the Agentejo Cockpit product. NOTE: the vendor states "I don’t think [it] is a big real-life issue."

Source: CVE-2020-35850

CVE-2020-35848

Posted on 2020년 12월 30일2020년 12월 30일 by admin

CVE-2020-35848

Agentejo Cockpit before 0.11.2 allows NoSQL injection via the Controller/Auth.php newpassword function.

Source: CVE-2020-35848