### Impact The velocity scripts is not properly sandboxed against using the Java File API to perform read or write operations on the filesystem. Now writing an attacking script in velocity requires th ...
Continue ReadingMay 23, 2022
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: >= 5.2.0 Not affected: ...
Continue ReadingMay 23, 2022
### Impact There is a potential for an XSS vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the **antisamy-esapi.xml** configuration file that can cause URLs with the ...
Continue ReadingMay 23, 2022
### Impact The default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. Th ...
Continue ReadingMay 23, 2022
Following the coordinated and responsible vulnerability disclosure guidelines of the **[ISO 29147]()** standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. not ...
Continue ReadingMay 23, 2022
The reporter discovered they were able to hijack invites to other ads teams by adding the extra field, email, to a request that would allow them to bypass email verification. By doing so they were abl ...
Continue ReadingMay 23, 2022
### Impact Permissions set to sales channel context by admin-api are still useable within normal user session ### Patches We recommend updating to the current version 6.4.10.1. You can get the update ...
Continue ReadingMay 23, 2022
### Impact Allows an attacker to perform a DOS attack consisting of memory exhaustion on the host system. ### Patches Yes. Please upgrade to v1.2.6. ### Workarounds A workaround is to restrict the pat ...
Continue ReadingMay 23, 2022
Back to Main