Monthly Archive: April 2022

novel-plus V3.6.1 allows unrestricted file uploads. Unrestricted file suffixes and contents can lead to server attacks and arbitrary code execution. Date published : 2022-04-28 https://github.com/201206030/novel-plus/issues/62

IBM InfoSphere Information Server 11.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within...

NoMachine for Windows prior to version 6.15.1 and 7.5.2 suffer from local privilege escalation due to the lack of safe DLL loading. This vulnerability allows local non-privileged users to perform DLL Hijacking via any...

The Nimbus skin for MediaWiki through 1.37.2 (before 6f9c8fb868345701d9544a54d9752515aace39df) allows XSS in Advertise link messages. Date published : 2022-04-28 https://gerrit.wikimedia.org/r/c/786959 https://phabricator.wikimedia.org/T306815

The admin API module in the QuizGame extension for MediaWiki through 1.37.2 (before 665e33a68f6fa1167df99c0aa18ed0157cdf9f66) omits a check for the quizadmin user. Date published : 2022-04-28 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/QuizGame/+/765651 https://phabricator.wikimedia.org/T302199

The FanBoxes extension for MediaWiki through 1.37.2 (before 027ffb0b9d6fe0d823810cf03f5b562a212162d4) allows Special:UserBoxes CSRF. Date published : 2022-04-28 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/FanBoxes/+/786327 https://phabricator.wikimedia.org/T306741

The SemanticDrilldown extension for MediaWiki through 1.37.2 (before e688bdba6434591b5dff689a45e4d53459954773) allows SQL injection with certain ‘-‘ and ‘_’ constraints. Date published : 2022-04-28 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/SemanticDrilldown/+/785213 https://phabricator.wikimedia.org/T306463

The Private Domains extension for MediaWiki through 1.37.2 (before 1ad65d4c1c199b375ea80988d99ab51ae068f766) allows CSRF for editing pages that store the extension’s configuration. The attacker must trigger a POST request to Special:PrivateDomains. Date published : 2022-04-28 https://gerrit.wikimedia.org/r/c/mediawiki/extensions/PrivateDomains/+/783416...

In JetBrains Rider before 2022.1 local code execution via links in ReSharper Quick Documentation was possible Date published : 2022-04-28 https://www.jetbrains.com/privacy-security/issues-fixed/

In JetBrains PyCharm before 2022.1 exposure of the debugger port to the internal network was possible Date published : 2022-04-28 https://www.jetbrains.com/privacy-security/issues-fixed/

In JetBrains IntelliJ IDEA before 2022.1 local code execution via links in Quick Documentation was possible Date published : 2022-04-28 https://www.jetbrains.com/privacy-security/issues-fixed/

In JetBrains IntelliJ IDEA before 2022.1 origin checks in the internal web server were flawed Date published : 2022-04-28 https://www.jetbrains.com/privacy-security/issues-fixed/

In JetBrains IntelliJ IDEA before 2022.1 reflected XSS via error messages in internal web server was possible Date published : 2022-04-28 https://www.jetbrains.com/privacy-security/issues-fixed/

In JetBrains IntelliJ IDEA before 2022.1 HTML injection into IDE messages was possible Date published : 2022-04-28 https://www.jetbrains.com/privacy-security/issues-fixed/