| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7. |
| The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. |
| Lack of output escaping leads to a XSS vector in the content history component. |
| An improper access check allows privilege escalation through the com_users batch task. |
| Lack of output escaping leads to a XSS vector in the readmore links for com_content. |
| An improper access check allows privelege escalation through the com_users group editing webservice endpoint. |
| Lack of output escaping leads to a XSS vector in the feed modules. |
| An improper access check allows unauthorized access to com_config webservice endpoints. |
| The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. |
| An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. |
| An improper access check allows privilege escalation through the com_users batch task. |
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8. |
| Lack of output escaping leads to a XSS vector in the multilingual associations component. |
| Insufficient state checks lead to a vector that allows to bypass 2FA checks. |
| Lack of input filtering leads to an XSS vector in the HTML filter code. |
| An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. |
| Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Ludwig You QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly quickwebp allows Path Traversal.This issue affects QuickWebP – Compress / Optimize Images & Convert WebP | SEO Friendly: from n/a through <= 3.2.7. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 TableOn posts-table-filterable allows Blind SQL Injection.This issue affects TableOn: from n/a through <= 1.0.5.1. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in phbernard Favicon favicon-by-realfavicongenerator allows Reflected XSS.This issue affects Favicon: from n/a through <= 1.3.46. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in IniLerm Advanced IP Blocker advanced-ip-blocker allows DOM-Based XSS.This issue affects Advanced IP Blocker: from n/a through <= 8.10.7. |
