Monthly Archive: August 2021

Stored cross-site scripting (XSS) vulnerability in the Name of application field found in the General Configuration page in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website...

Stored cross-site scripting (XSS) vulnerability in the Copyright Text field found in the Application page under the Configuration menu in Rukovoditel 2.4.1 allows remote attackers to inject arbitrary web script or HTML via a...

Cross Site Scripting (XSS) vulnerability exists in qdPM 9.1 in the Heading field found in the Login Page page under the General menu via a crafted website name by doing an authenticated POST HTTP...

Cross Site Scripting (XSS) vulnerabilty exists in BigTree-CMS 4.4.3 in the tag name field found in the Tags page under the General menu via a crafted website name by doing an authenticated POST HTTP...

It is possible to inject HTML and/or JavaScript in the HTML to PDF conversion in Gotenberg through 6.2.1 via the /convert/html endpoint. Date published : 2021-08-26 https://github.com/gotenberg/gotenberg/issues/215 https://github.com/gotenberg/gotenberg/pull/319

An SSRF vulnerability in Gotenberg through 6.2.1 exists in the remote URL to PDF conversion, which results in a remote attacker being able to read local files or fetch intranet resources. Date published :...

** DISPUTED ** gdImageGd2Ptr in gd_gd2.c in the GD Graphics Library (aka LibGD) through 2.3.2 has a double free. NOTE: the vendor’s position is "The GD2 image format is a proprietary image format of...

nbgitpuller is a Jupyter server extension to sync a git repository one-way to a local path. Due to unsanitized input, visiting maliciously crafted links could result in arbitrary code execution in the user environment....

BinderHub is a kubernetes-based cloud service that allows users to share reproducible interactive computing environments from code repositories. In affected versions a remote code execution vulnerability has been identified in BinderHub, where providing BinderHub...

baserCMS is an open source content management system with a focus on Japanese language support. In affected versions there is a cross-site scripting vulnerability in the file upload function of the management system of...

A security issue in Umbraco Forms 4.0.0 to and including 8.7.5 could lead to a remote code execution attack and/or arbitrary file deletion. Date published : 2021-08-25 https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/ https://umbraco.com/blog/security-advisory-security-patches-for-umbraco-forms-ready-on-july-20th-2021-at-7-am-utc/

In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion. Date published : 2021-08-25 https://backstage.forgerock.com/knowledge/kb/article/a55763454 https://www.forgerock.com/platform/access-management

ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue. Date published : 2021-08-25 https://backstage.forgerock.com/knowledge/kb/article/a55763454 https://www.forgerock.com/platform/access-management

An out-of-bounds write flaw was found in the UAS (USB Attached SCSI) device emulation of QEMU in versions prior to 6.2.0-rc0. The device uses the guest supplied stream number unchecked, which can lead to...