Page 31 of 370 results (0.005 seconds)

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

XSS in Upload page in Apache JSPWiki 2.12.1 and priors allows the attacker to execute javascript in the victim's browser and get some sensitive information about the victim. Apache JSPWiki users should upgrade to 2.12.2 or later. XSS en la página de carga en Apache JSPWiki 2.12.1 y versiones anteriores permite al atacante ejecutar javascript en el navegador de la víctima y obtener información confidencial sobre la víctima. Los usuarios de Apache JSPWiki deben actualizar a 2.12.2 o posterior. • https://jspwiki-wiki.apache.org/Wiki.jsp?page=CVE-2024-27136 https://lists.apache.org/thread/gfms8gbncqqkj52p861b8fnsypwsl1d5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.4EPSS: 0%CPEs: 7EXPL: 0

WordPress Core is vulnerable to Stored Cross-Site Scripting via the HTML API in various versions prior to 6.5.5 due to insufficient input sanitization and output escaping on URLs. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. WordPress Core es vulnerable a Cross-Site Scripting Almacenado a través de la API HTML en varias versiones hasta la 6.5.5 debido a una sanitización de entrada insuficiente y a un escape de salida en las URL. Esto hace posible que atacantes autenticados, con acceso de nivel de colaborador y superior, inyecten scripts web arbitrarios en páginas que se ejecutarán cada vez que un usuario acceda a una página inyectada. • https://core.trac.wordpress.org/changeset/58472 https://core.trac.wordpress.org/changeset/58473 https://wordpress.org/news/2024/06/wordpress-6-5-5 https://www.wordfence.com/threat-intel/vulnerabilities/id/bc0d36f8-6569-49a1-b722-5cf57c4bb32a?source=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: -EPSS: 0%CPEs: 1EXPL: 0

Apache Allura's neighborhood settings are vulnerable to a stored XSS attack.  Only neighborhood admins can access these settings, so the scope of risk is limited to configurations where neighborhood admins are not fully trusted. This issue affects Apache Allura: from 1.4.0 through 1.17.0. Users are recommended to upgrade to version 1.17.1, which fixes the issue. La configuración del vecindario de Apache Allura es vulnerable a un ataque XSS almacenado. Solo los administradores de vecindario pueden acceder a estas configuraciones, por lo que el alcance del riesgo se limita a configuraciones en las que no se confía plenamente en los administradores de vecindario. Este problema afecta a Apache Allura: desde 1.4.0 hasta 1.17.0. • https://lists.apache.org/thread/2lb6vp00sj2b2snpmhff5lyortxjsnrp • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 3

Improper Input Validation vulnerability in Apache Superset, allows for an authenticated attacker to create a MariaDB connection with local_infile enabled. If both the MariaDB server (off by default) and the local mysql client on the web server are set to allow for local infile, it's possible for the attacker to execute a specific MySQL/MariaDB SQL command that is able to read files from the server and insert their content on a MariaDB database table.This issue affects Apache Superset: before 3.1.3 and version 4.0.0 Users are recommended to upgrade to version 4.0.1 or 3.1.3, which fixes the issue. Vulnerabilidad de validación de entrada incorrecta en Apache Superset, permite que un atacante autenticado cree una conexión MariaDB con local_infile habilitado. Si tanto el servidor MariaDB (desactivado de forma predeterminada) como el cliente MySQL local en el servidor web están configurados para permitir el archivo local, es posible que el atacante ejecute un comando SQL MySQL/MariaDB específico que pueda leer archivos del servidor e inserte su contenido en una tabla de base de datos MariaDB. Este problema afecta a Apache Superset: antes de 3.1.3 y versión 4.0.0. • https://github.com/mbadanoiu/CVE-2024-34693 https://github.com/labc-dev/CVE-2024-34693 https://github.com/Mr-r00t11/CVE-2024-34693 http://www.openwall.com/lists/oss-security/2024/06/20/1 https://lists.apache.org/thread/1803x1s34m7r71h1k0q1njol8k6fmyon • CWE-20: Improper Input Validation •

CVSS: 7.4EPSS: 0%CPEs: 5EXPL: 0

A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5. Se descubrió un defecto en el módulo “ssl” de Python donde existe una condición de ejecución de memoria con los métodos ssl.SSLContext “cert_store_stats()” y “get_ca_certs()”. La condición de ejecución se puede desencadenar si los métodos se llaman al mismo tiempo que se cargan los certificados en SSLContext, como durante el protocolo de enlace TLS con un directorio de certificados configurado. Este problema se solucionó en CPython 3.10.14, 3.11.9, 3.12.3 y 3.13.0a5. • http://www.openwall.com/lists/oss-security/2024/06/17/2 https://github.com/python/cpython/commit/01c37f1d0714f5822d34063ca7180b595abf589d https://github.com/python/cpython/commit/29c97287d205bf2f410f4895ebce3f43b5160524 https://github.com/python/cpython/commit/37324b421b72b7bc9934e27aba85d48d4773002e https://github.com/python/cpython/commit/542f3272f56f31ed04e74c40635a913fbc12d286 https://github.com/python/cpython/commit/b228655c227b2ca298a8ffac44d14ce3d22f6faa https://github.com/python/cpython/commit/bce693111bff906ccf9281c22371331aaff766ab https://github.com • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •