CVE-2022-38251
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the System Performance Settings page under the Admin panel.
Source: CVE-2022-38251
[월:] 2022년 09월
CVE-2022-38249
CVE-2022-38249
Nagios XI v5.8.6 was discovered to contain a cross-site scripting (XSS) vulnerability via the MTR component in version 1.0.4.
Source: CVE-2022-38249
CVE-2022-38250
CVE-2022-38250
Nagios XI v5.8.6 was discovered to contain a SQL injection vulnerability via the mib_name parameter at the Manage MIBs page.
Source: CVE-2022-38250
CVE-2022-38248
CVE-2022-38248
Nagios XI before v5.8.7 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at auditlog.php.
Source: CVE-2022-38248
CVE-2020-19914
CVE-2020-19914
Cross Site Scripting (XSS) in xiunobbs 4.0.4 allows remote attackers to execute arbitrary web script or HTML via the attachment upload function.
Source: CVE-2020-19914
CVE-2022-36080
CVE-2022-36080
Wikmd is a file based wiki that uses markdown. Prior to version 1.7.1, an attacker could capture user’s session cookies or execute malicious Javascript when a victim edits a markdown file. Version 1.7.1 fixes this issue.
Source: CVE-2022-36080
CVE-2022-36081
CVE-2022-36081
Wikmd is a file based wiki that uses markdown. Prior to version 1.7.1, Wikmd is vulnerable to path traversal when accessing `/list/<path:folderpath>` and discloses lists of files located on the server including sensitive data. Version 1.7.1 fixes this issue.
Source: CVE-2022-36081
CVE-2022-36079
CVE-2022-36079
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Internal fields (keys used internally by Parse Server, prefixed by `_`) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server, prior to versions 4.10.14 or 5.2.5, returns a response object. The patch available in versions 4.10.14 and 5.2.5 requires the maser key to use internal and protected fields as query constraints. As a workaround, implement a Parse Cloud Trigger `beforeFind` and manually remove the query constraints.
Source: CVE-2022-36079
CVE-2022-36049
CVE-2022-36049
Flux2 is a tool for keeping Kubernetes clusters in sync with sources of configuration, and Flux’s helm-controller is a Kubernetes operator that allows one to declaratively manage Helm chart releases. Helm controller is tightly integrated with the Helm SDK. A vulnerability found in the Helm SDK that affects flux2 v0.0.17 until v0.32.0 and helm-controller v0.0.4 until v0.23.0 allows for specific data inputs to cause high memory consumption. In some platforms, this could cause the controller to panic and stop processing reconciliations. In a shared cluster multi-tenancy environment, a tenant could create a HelmRelease that makes the controller panic, denying all other tenants from their Helm releases being reconciled. Patches are available in flux2 v0.32.0 and helm-controller v0.23.0.
Source: CVE-2022-36049
CVE-2022-3130
CVE-2022-3130
A vulnerability classified as critical has been found in codeprojects Online Driving School. This affects an unknown part of the file /login.php. The manipulation of the argument username leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-207873 was assigned to this vulnerability.
Source: CVE-2022-3130