\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11.
This can lead to XSS when the module is used to prevent passing in malicious javascript: links into…
[github.com/beego/beego] Access control bypass in Beego
An issue was discovered in the route lookup process in beego through 2.0.1, allows attackers to bypass access control.
References
https://nvd.nist.gov/vuln/detail/CVE-2021-30080
https://github.com/beego/beego/commit/d5df5e470d0a8ed291930ae802fd7e6b952…
[github.com/beego/beego/v2] Privilege escalation in beego
An issue was discovered in file profile.go. The MemProf and GetCPUProfile functions do not correctly check whether the created file exists. As a result attackers can launch attacks symlink attacks locally. Attackers can use this vulnerability to escala…
[github.com/beego/beego/v2] Privilege escalation in beego
beego is an open-source, high-performance web framework for the Go programming language. An issue was discovered in file profile.go in function GetCPUProfile in beego through 2.0.2, allows attackers to launch symlink attacks locally.
References
https:…
[impresscms/impresscms] SQL injection in ImpressCMS
SQL Injection in ImpressCMS 1.4.3 and earlier allows remote attackers to inject into the code in unintended way, this allows an attacker to read and modify the sensitive information from the database used by the application. If misconfigured, an attack…
[wwbn/avideo] Open redirect in wwbn/avideo
Open redirect vulnerability in objects/login.json.php in WWBN AVideo through 11.6, allows attackers to arbitrarily redirect users from a crafted url to the login page. A patch is available on the master branch of the repository.
References
https://nvd…
[tastyigniter/tastyigniter] Cross-site Scripting in TastyIgniter
TastyIgniter prior to version 3.3.0 is vulnerable to Document Object Model (DOM) based Cross-site Scripting (XSS).
References
https://nvd.nist.gov/vuln/detail/CVE-2022-0602
https://github.com/tastyigniter/tastyigniter/commit/992d4ce6444805c3132e3635a0…
[valine] Cross site scripting in valine
valine is a fast, simple & powerful comment system. Cross Site Scripting (XSS) vulnerability in xCss Valine v1.4.14 via the nick parameter to /classes/Comment. A fix was released in version 1.4.15.
References
https://nvd.nist.gov/vuln/detail/CVE-2…
[org.apache.pinot:pinot] Logic error in Apache Pinot
In 0.9.3 or older versions of Apache Pinot segment upload path allowed segment directories to be imported into pinot tables. In pinot installations that allow open access to the controller a specially crafted request can potentially be exploited to cau…
天然ガスの「ルーブル払い」迫る狙いは何か? ロシアと欧州、「肉を切らせて骨を断つ」痛み伴う攻防突入
「我々の天然ガスがほしければ、ロシアの通貨ルーブルで支払え」。ロシアの強気な姿勢に、エネルギー輸入を…