GitHub

Improper Access Control in GitHub repository snipe/snipe-it prior to 5.4.4.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1511
https://github.com/snipe/snipe-it/commit/2e9cf8fa87a025c0eac9f79f4864b3fdd33a950c
https://huntr.dev/bounties/4a1723e9…

FacturaScripts prior to version 2022.06 is vulnerable to stored cross-site scripting via upload plugin functionality in zip format.
References

https://nvd.nist.gov/vuln/detail/CVE-2022-1514
https://github.com/neorazorx/facturascripts/commit/aa9f28cb86…

Impact
The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires the Script rights in XWiki so not all users can use it, an…

zend-diactoros (and, by extension, Expressive), zend-http (and, by extension, Zend Framework MVC projects), and zend-feed (specifically, its PubSubHubbub sub-component) each contain a potential URL rewrite exploit. In each case, marshaling a request UR…

Impact
Multiple tokens for password reset could be requested. All tokens could be used to change the password.
This makes it possible for an attacker to take over the victims account if s/he gains access to the victims email account and finds unused pa…

Impact
The CSRF tokens were not renewed after login and logout.
An attacker could impersonate the victim if the attacker is able to use the same device as the victim used beforehand.
Patches
We recommend updating to the current version 5.7.9. You can g…

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scr…

A flaw was found in keycloak, where IDN homograph attacks are possible. This flaw allows a malicious user to register a name that already exists and then tricking an admin to grant extra privileges. The highest threat from this vulnerability is to inte…

A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.
References

https://nvd….

Impact
Not-stored XSS in storefront.
Request parameter were directly assigned to the template, so that malicious code could be send via an URL.
Patches
We recommend updating to the current version 5.7.9. You can get the update to 5.7.9 regularly via th…