This issue affects Apache Tiles from version 2 onwards. Passing user-controlled data to this key may be relatively common, as it was also used like that to set the language in the 'tiles-test' application shipped with Tiles. ** UNSUPPORTED WHEN ASSIGNED ** The value set as the DefaultLocaleResolver.LOCALE_KEY attribute on the session was not validated while resolving XML definition files, leading to possible path traversal and eventually SSRF/XXE when passing user-controlled data to this key. Users are recommended to upgrade to version 3.0.2, which fixes the issue. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Ī where_in JINJA macro allows users to specify a quote, which combined with a carefully crafted statement would allow for SQL injection in Apache Superset.This issue affects Apache Superset: before 2.1.2, from 3.0.0 before 3.0.2. VDB-246134 is the identifier assigned to this vulnerability. The exploit has been disclosed to the public and may be used. The manipulation leads to unrestricted upload. Affected by this issue is some unknown functionality of the component Apache Struts. The impact of this vulnerability is considered as Low, as the cluster_manager URL should not be exposed outside and is protected by user/password.Ī vulnerability, which was classified as critical, has been found in Xiamen Four-Faith Video Surveillance Management System 2016/2017. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. A flaw was found in the mod_proxy_cluster in the Apache server.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |