3.5
CVE-2024-3612 - SourceCodester Warehouse Management System barang.php cross site scripting
A vulnerability was found in SourceCodester Warehouse Management System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file barang.php. The manipulation of the argument nama_barang/merek leads to cross site scripting. The attack can be laβ¦
2.2
CVE-2024-32001 - SpiceDB: LookupSubjects may return partial results if a specific kind of relation is used
SpiceDB is a graph database purpose-built for storing and evaluating access control data. Use of a relation of the form: `relation folder: folder | folder#parent` with an arrow such as `folder->view` can cause LookupSubjects to only return the subjects found under subjects for either `folder` or `fβ¦
7.4
CVE-2024-31999 - @fastify/secure-session: Reuse of destroyed secure session cookie
@festify/secure-session creates a secure stateless cookie session for Fastify. At the end of the request handling, it will encrypt all data in the session with a secret key and attach the ciphertext as a cookie value with the defined cookie name. After that, the session on the server side is destroβ¦
4.3
CVE-2024-31995 - zcap has incomplete expiration checks in capability chains.
`@digitalbazaar/zcap` provides JavaScript reference implementation for Authorization Capabilities. Prior to version 9.0.1, when invoking a capability with a chain depth of 2, i.e., it is delegated directly from the root capability, the `expires` property is not properly checked against the current β¦
10
CVE-2024-31997 - XWiki Platform remote code execution from account through UIExtension parameters
XWiki Platform is a generic wiki platform. Prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, parameters of UI extensions are always interpreted as Velocity code and executed with programming rights. Any user with edit right on any document like the user's own profile can create UI extensions. Thisβ¦
10
CVE-2024-31996 - XWiki Commons missing escaping of `{` in Velocity escapetool allows remote code execution
XWiki Platform is a generic wiki platform. Starting in version 3.0.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, the HTML escaping of escaping tool that is used in XWiki doesn't escape `{`, which, when used in certain places, allows XWiki syntax injection and thereby remote code executioβ¦
9.7
CVE-2024-31988 - XWiki Platform CSRF remote code execution through the realtime HTML Converter API
XWiki Platform is a generic wiki platform. Starting in version 13.9-rc-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, when the realtime editor is installed in XWiki, it allows arbitrary remote code execution with the interaction of an admin user with programming right. More precisely, by β¦
0.0
CVE-2023-7255 -
Assigned as duplicate and no longer used.
10
CVE-2024-31987 - XWiki Platform remote code execution from account via custom skins support
XWiki Platform is a generic wiki platform. Starting in version 6.4-milestone-1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, any user who can edit any page like their profile can create a custom skin with a template override that is executed with programming right, thus allowing remote codβ¦
9.1
CVE-2024-31986 - XWiki Platform CSRF remote code execution through scheduler job's document reference
XWiki Platform is a generic wiki platform. Starting in version 3.1 and prior to versions 4.10.19, 15.5.4, and 15.10-rc-1, by creating a document with a special crafted documented reference and an `XWiki.SchedulerJobClass` XObject, it is possible to execute arbitrary code on the server whenever an aβ¦