![]() When clicked by a victim user, the script will execute with the victim's permission. Weave GitOps Enterprise before 0.9.0-rc.5 has a cross-site scripting (XSS) bug allowing a malicious user to inject a javascript: link in the UI. There are no known workarounds for this issue. This issue has been addressed in version `v1`. If an alert is dismissed or any other custom field contains executable code / formulas, it might be run when an endpoint opens that CSV file in a spreadsheet program. In affected versions this GitHub Action creates a CSV file without sanitizing the output of the APIs. Some-natalie/ghas-to-csv (GitHub Advanced Security to CSV) is a GitHub action which scrapes the GitHub Advanced Security API and shoves it into a CSV. To mitigate this issue in unpatched versions add a `beforeSave` trigger to the `_Session` class and prevent writing if the requesting user is different from the user in the session object. This issue is patched in version 4.10.15 and above, and 5.2.6 and above. Note that assigning a session to another user does not usually change the privileges of either of the two users, and a user cannot assign their own session to another user. For example, an attacker can assign the session object to their own user by writing to the `user` field and then read any custom fields of that session object. In versions prior to 4.10.15, or 5.0.0 and above prior to 5.2.6, a user can write to the session object of another user if the session object ID is known. Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. ![]() As a workaround, one may delete the Swapper API Documentation from their e-mail server. ![]() The issue has been fixed with the 2022-09 mailcow Mootember Update. This could redirect a victim to an attacker controller place to steal Swagger authorization credentials or create a phishing page to steal other information. A vulnerability innversions prior to 2022-09 allows an attacker to craft a custom Swagger API template to spoof Authorize links. In JetBrains TeamCity before 2022.04.4 environmental variables of "password" type could be logged when using custom Perforce executable ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |