11 results (0.003 seconds)

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 2

SHIRASAGI is a Content Management System. Prior to version 1.18.0, SHIRASAGI is vulnerable to a Post-Unicode normalization issue. This happens when a logical validation or a security check is performed before a Unicode normalization. The Unicode character equivalent of a character would resurface after the normalization. The fix is initially performing the Unicode normalization and then strip for all whitespaces and then checking for a blank string. • https://github.com/shirasagi/shirasagi/blob/f249ce3f06f6bfbc0017b38f5c13de424334c3ea/app/models/concerns/rdf/object.rb#L68-L72 https://github.com/shirasagi/shirasagi/security/advisories/GHSA-xr45-c2jv-2v9r https://sim4n6.beehiiv.com/p/unicode-characters-bypass-security-checks • CWE-116: Improper Encoding or Escaping of Output CWE-176: Improper Handling of Unicode Encoding •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Stored cross-site scripting vulnerability in SHIRASAGI prior to v1.18.0 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. Una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en SHIRASAGI anterior a la versión 1.18.0 permite a un atacante remoto autenticado ejecutar un script arbitrario en el navegador web del usuario que está iniciando sesión en el producto. • https://jvn.jp/en/jp/JVN82758000 https://www.ss-proj.org/support/954.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0

Reflected cross-site scripting vulnerability in SHIRASAGI prior to v1.18.0 allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. Reflejada una vulnerabilidad de Cross-Site Scripting en SHIRASAGI anterior a la versión 1.18.0 permite a un atacante remoto no autenticado ejecutar un script arbitrario en el navegador web del usuario que inicia sesión en el producto. • https://jvn.jp/en/jp/JVN82758000 https://www.ss-proj.org/support/954.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0

Path traversal vulnerability in SHIRASAGI prior to v1.18.0 allows a remote authenticated attacker to alter or create arbitrary files on the server, resulting in arbitrary code execution. La vulnerabilidad de Path Traversal en SHIRASAGI anterior a v1.18.0 permite a un atacante remoto autenticado alterar o crear archivos arbitrarios en el servidor, resultando en la ejecución de código arbitrario. • https://jvn.jp/en/jp/JVN82758000 https://www.ss-proj.org/support/954.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

Stored cross-site scripting vulnerability in Theme switching function of SHIRASAGI v1.16.2 and earlier versions allows a remote attacker with an administrative privilege to inject an arbitrary script. • https://github.com/shirasagi/shirasagi https://jvn.jp/en/jp/JVN18765463 https://www.ss-proj.org https://www.ss-proj.org/support/938.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •