node-irc is a socket wrapper for the IRC protocol that extends Node.js’ EventEmitter. The vulnerability allows an attacker to manipulate a Matrix user into executing IRC commands by having them reply to a maliciously crafted message. Incorrect handling…
[keylime] Tenant and Verifier might not use the same registrar data
Keylime does not enforce that the agent registrar data is the same when the tenant uses it for validation of the EK and identity quote and the verifier for validating the integrity quote. This allows an attacker to use one AK, EK pair from a real TPM t…
[facturascripts/facturascripts] Cross-site Scripting in FacturaScripts
FacturaScripts versions 2022.06 and prior are vulnerable to reflected cross-site scripting attacks. This vulnerability can use arbitrarily executed javascript code to steal users’ cookies, perform HTTP request, get content of same origin page, etc. A f…
[microweber/microweber] Microweber vulnerable to cross-site scripting (XSS)
Microweber is a drag and drop website builder and a powerful next generation CMS. Microweber versions 1.2.15 and prior are vulnerable to cross-site scripting. This could lead to injection of arbitrary JaveScript code, defacement of a page, or stealing …
[microweber/microweber] Cross-site Scripting in Microweber
Microweber prior to version 1.2.16 is vulnerable to cross-site scripting. This vulnerability allows an attacker to execute JavaScript as the victim.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1584
https://github.com/microweber/microweber/com…
[jquery.json-viewer] Cross-site Scripting in jquery.json-viewer
The jquery.json-viewer library before version 1.5.0 for Node.js does not properly escape characters such as < in a JSON object, as demonstrated by a SCRIPT element.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-30241
https://github.com/abode…
[parse-server] Authentication bypass and denial of service (DoS) vulnerabilities in Apple Game Center auth adapter
Weak validation of the Apple certificate URL in the Apple Game Center authentication adapter allows to bypass authentication and makes the server vulnerable to DoS attacks. The vulnerability has been fixed by improving the URL validation and adding add…
[github.com/fluxcd/flux2] Improper path handling in kustomization files allows path traversal
The kustomize-controller enables the use of Kustomize’s functionality when applying Kubernetes declarative state onto a cluster. A malicious user can use built-in features and a specially crafted kustomization.yaml to expose sensitive data from the con…
[scout-browser] Path Traversal in scout-browser
Scout is a Variant Call Format (VCF) visualization interface. The Pypi package scout-browser is vulnerable to path traversal due to send_file call in versions prior to 4.52.
References
https://nvd.nist.gov/vuln/detail/CVE-2022-1554
https://github.com/…
[strapi] Insecure password handling vulnerability in Strapi
Storing passwords in a recoverable format in the DOCUMENTATION plugin component of Strapi before 3.6.9 and 4.x before 4.1.5 allows an attacker to access a victim’s HTTP request. From this, the attacker can get the victim’s cookie, base64 decode it, and…