![]() MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the rulles_list_ajax endpoint. MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to HTTP Response splitting via the format parameter. MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the data_leak_list_ajax endpoint. MDaemon Technologies SecurityGateway for Email Servers 8.5.2, is vulnerable to HTTP Response splitting via the data parameter. MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the whitelist endpoint. after login leads to inject malicious tag leads to IFRAME injection. MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to IFRAME Injectionvia the currentRequest parameter. MDaemon Technologies SecurityGateway for Email Servers 8.5.2 is vulnerable to Cross Site Scripting (XSS) via the Blacklist endpoint. ![]() The vulnerability requires user access to create and share dashboards using Splunk Web. In Splunk Enterprise versions in the following table, an authenticated user can craft a dashboard that could potentially leak information (for example, username, email, and real name) about Splunk users, when visited by another user through the drilldown component. Vtiger CRM v7.4.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability via the e-mail template modules.ĭiscourse through 2.8.7 allows admins to send invitations to arbitrary email addresses at an unlimited rate. Improper neutralization of input during web page generation leaves the Eyes of Network web application vulnerable to cross-site scripting attacks at /module/admin_notifiers/rules.php and /module/report_event/indext.php via the parameters rule_notification, rule_name, and rule_name_old, and at /module/admin_user/add_modify_user.php via the parameters user_name and user_email. This can be exploited by abusing password reset emails. ![]() As a workaround, one may delete the Swapper API Documentation from their e-mail server.Ī Host Header Injection vulnerability in Feehi CMS 2.1.1 may allow an attacker to spoof a particular header. The issue has been fixed with the 2022-09 mailcow Mootember Update. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. Using Advanced Initialization, developers can check the requests and compare the query's token and identifier before proceeding. An attacker who knows about the victim's email could easily sign in as the victim, given the attacker also knows about the verification token's expired duration. The Upstash Redis adapter implementation did not check for both the identifier (email) and the token, but only checking for the identifier when verifying the token in the email callback flow. Applications that use `next-auth` Email Provider and before v3.0.2 are affected by this vulnerability. # Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: # References # For more information If you have any questions or comments about this advisory: * Open an issue in * Email us at is the Upstash Redis adapter for NextAuth.js, which provides authentication for Next.js. ![]() # Patch Upgrade to v2022.09.10 to patch this vulnerability. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. # Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. There are no known workarounds for this issue. This vulnerability can be used to expose the following information: Estimating database row counts from tables with a sequential primary key or Exposing staff user and customer email addresses and full name through the `assignNavigation()` mutation. In affected versions some GraphQL mutations were not properly checking the ID type input which allowed to access database objects that the authenticated user may not be allowed to access. Saleor is a headless, GraphQL commerce platform. ![]() An access-control vulnerability in Gradle Enterprise 2022.4 through 2022.3.1 allows remote attackers to prevent backups from occurring, and send emails with arbitrary text content to the configured installation-administrator contact address, via HTTP access to an accidentally exposed internal endpoint. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |