CVE-2024-41947

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Jul 31, 2024 / Updated: 3mo ago

To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away. To reproduce on a XWiki instance, a user with admin rights needs to edit a document without saving right away.

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available. Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High : vulnerabilities with a CVSS base score of 7.0–10.0 Medium : vulnerabilities with a CVSS base score of 4.0–6.9 Low : vulnerabilities with a CVSS base score of 0.0–3.9 Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links.

High Vulnerabilities Primary Vendor -- Product Description Published CVSS Score Source & Patch Info Apache Software Foundation--Apache SeaTunnel Web Web Authentication vulnerability in Apache SeaTunnel. Since the jwt key is hardcoded in the application, an attacker can forge any token to log in any user. Attacker can get secret key in /seatunnel-server/seatunnel-app/src/main/resources/application.yml and then create a token. This issue affects Apache SeaTunnel: 1.0.0. Users are recommended to upgrade to version 1.0.1, which fixes the issue. 2024-07-30 9.1 CVE-2023-48396 security@apache.org security@apache.org n/a--n/a An issue was discovered in Italtel i-MCS NFV 12.1.0-20211215. There is Incorrect Access Control. 2024-07-29 9.1 CVE-2024-28805 cve@mitre.org n/a--n/a Prototype pollution in allpro form-manager 0.7.4 allows attackers to run arbitrary code and cause other impacts via the functions setDefaults, mergeBranch, and Object.setObjectValue. 2024-07-30 9.8 CVE-2024-36572 cve@mitre.org cve@mitre.org n/a--n/a SQL Injection vulnerability in Lost and Found Information System 1.0 allows a remote attacker to escalate privileges via the id parameter to php-lfis/admin/categories/manage_category.php.

Update Wed Jul 31 22:29:12 UTC 2024

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is...

Critical Severity Description XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. By creating a conflict when another user with more rights is currently editing a page, it is possible to execute JavaScript snippets on the side of the other user, which compromises the confidentiality, integrity and availability of the whole XWiki installation. This has been patched in XWiki 15.10.8 and 16.3.0RC1. Read more at https://www.tenable.com/cve/CVE-2024-41947