commit 3c9e956b678254f338be563dc984737676a6fe86 Author: Jérémie SALVI Date: Thu Dec 19 17:11:16 2024 +0100 first commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fb00434 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +assets/config.json diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..7232fdf --- /dev/null +++ b/TODO.md @@ -0,0 +1,2 @@ +appendChild on CVE function +add shadow to object in overeffect diff --git a/assets/bg.jpg b/assets/bg.jpg new file mode 100644 index 0000000..b87f702 Binary files /dev/null and b/assets/bg.jpg differ diff --git a/assets/bg.webp b/assets/bg.webp new file mode 100644 index 0000000..c0710d4 Binary files /dev/null and b/assets/bg.webp differ diff --git a/assets/config.json.example b/assets/config.json.example new file mode 100644 index 0000000..8a5bb63 --- /dev/null +++ b/assets/config.json.example @@ -0,0 +1,32 @@ +[ + { + "name": "Home Lab", + "content": [ + { + "url": "https://wikijs.local/", + "icon": "./assets/icons/wikijs.svg", + "name": "Wikijs" + }, + { + "url": "https://npm.local/", + "icon": "https://nginxproxymanager.com/logo.svg", + "name": "Npm" + }, + ] + }, + { + "name": "", + "content": [ + { + "url": "https://www.facebook.com/", + "icon": "https://upload.wikimedia.org/wikipedia/commons/b/b8/2021_Facebook_icon.svg", + "name": "Facebook" + }, + { + "url": "https://www.google.com/", + "icon": "https://upload.wikimedia.org/wikipedia/commons/c/c1/Google_%22G%22_logo.svg", + "name": "Google" + }, + ] + }, +] diff --git a/assets/icons/ISMSVA.ico b/assets/icons/ISMSVA.ico new file mode 100644 index 0000000..abccaa5 Binary files /dev/null and b/assets/icons/ISMSVA.ico differ diff --git a/assets/icons/adguard.png b/assets/icons/adguard.png new file mode 100644 index 0000000..0bde6ed Binary files /dev/null and b/assets/icons/adguard.png differ diff --git a/assets/icons/authelia.svg b/assets/icons/authelia.svg new file mode 100644 index 0000000..944f325 --- /dev/null +++ b/assets/icons/authelia.svg @@ -0,0 +1,71 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/assets/icons/debian.svg b/assets/icons/debian.svg new file mode 100644 index 0000000..392e9be --- /dev/null +++ b/assets/icons/debian.svg @@ -0,0 +1,42 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/downloads.png b/assets/icons/downloads.png new file mode 100644 index 0000000..4022c97 Binary files /dev/null and b/assets/icons/downloads.png differ diff --git a/assets/icons/freebox.png b/assets/icons/freebox.png new file mode 100644 index 0000000..3f5c33f Binary files /dev/null and b/assets/icons/freebox.png differ diff --git a/assets/icons/gitea.svg b/assets/icons/gitea.svg new file mode 100644 index 0000000..a61f7ac --- /dev/null +++ b/assets/icons/gitea.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/assets/icons/google.svg b/assets/icons/google.svg new file mode 100644 index 0000000..088288f --- /dev/null +++ b/assets/icons/google.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/assets/icons/lldap.svg b/assets/icons/lldap.svg new file mode 100644 index 0000000..eb6c514 --- /dev/null +++ b/assets/icons/lldap.svg @@ -0,0 +1,23 @@ + + + + + + + image/svg+xml + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/nextcloud.svg b/assets/icons/nextcloud.svg new file mode 100644 index 0000000..036cbed --- /dev/null +++ b/assets/icons/nextcloud.svg @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/assets/icons/npm.svg b/assets/icons/npm.svg new file mode 100644 index 0000000..23fa245 --- /dev/null +++ b/assets/icons/npm.svg @@ -0,0 +1 @@ +logo \ No newline at end of file diff --git a/assets/icons/outlook.svg b/assets/icons/outlook.svg new file mode 100644 index 0000000..2cde22d --- /dev/null +++ b/assets/icons/outlook.svg @@ -0,0 +1,35 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/passbolt.svg b/assets/icons/passbolt.svg new file mode 100644 index 0000000..5ad38a0 --- /dev/null +++ b/assets/icons/passbolt.svg @@ -0,0 +1,9 @@ + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/patchman.svg b/assets/icons/patchman.svg new file mode 100644 index 0000000..de6b16f --- /dev/null +++ b/assets/icons/patchman.svg @@ -0,0 +1,11 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/portainer.svg b/assets/icons/portainer.svg new file mode 100644 index 0000000..b488eb2 --- /dev/null +++ b/assets/icons/portainer.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/assets/icons/rdp.png b/assets/icons/rdp.png new file mode 100644 index 0000000..5c0dbc9 Binary files /dev/null and b/assets/icons/rdp.png differ diff --git a/assets/icons/roundcube.svg b/assets/icons/roundcube.svg new file mode 100644 index 0000000..04238a0 --- /dev/null +++ b/assets/icons/roundcube.svg @@ -0,0 +1,15 @@ + + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/rutorrent.png b/assets/icons/rutorrent.png new file mode 100644 index 0000000..0b52230 Binary files /dev/null and b/assets/icons/rutorrent.png differ diff --git a/assets/icons/traefik.svg b/assets/icons/traefik.svg new file mode 100644 index 0000000..1ffc36b --- /dev/null +++ b/assets/icons/traefik.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/assets/icons/wikijs.svg b/assets/icons/wikijs.svg new file mode 100644 index 0000000..78073b2 --- /dev/null +++ b/assets/icons/wikijs.svg @@ -0,0 +1,119 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/assets/icons/wireguard.svg b/assets/icons/wireguard.svg new file mode 100644 index 0000000..81823b3 --- /dev/null +++ b/assets/icons/wireguard.svg @@ -0,0 +1,7 @@ + + \ No newline at end of file diff --git a/css/style.css b/css/style.css new file mode 100644 index 0000000..ac50568 --- /dev/null +++ b/css/style.css @@ -0,0 +1,240 @@ +@import url('https://fonts.googleapis.com/css2?family=Roboto:ital,wght@0,100;0,300;0,400;0,500;0,700;0,900;1,100;1,300;1,400;1,500;1,700;1,900&display=swap'); +/* https://fonts.google.com/selection/embed */ + +:root { + --bg-color-dark-z0: #323232; + --bg-color-dark-z1: #fff4; + --bg-color-dark-z2: #545454; + --text-color-light: #000; + --text-color-dark: #fbfbfe; + --text-color-placeholder: #a6a5ad; +} + +html, +body, +header, +section, +aside, +footer, +h1, +h2, +h3, +h4, +h5, +h6 { + margin: 0; + padding: 0; +} + +html, +body { + height: 100%; + overflow: hidden; + font-family: "Roboto"; +} + +body { + display: flex; + flex-direction: column; + background-color: var(--bg-color-dark-z0); + background-size: cover; + background-repeat: no-repeat; + background-position: bottom; + background-attachment: fixed; + background-image: url(../assets/bg.jpg); + color: var(--text-color-dark); +} + +header { + display: flex; + align-items: center; + justify-content: center; + background-color: var(--bg-color-dark-z1); +} + +.search-wrapper { + margin: 16px; + width: 100%; + max-width: 1212px; + height: 52px; + display: flex; + align-items: center; + background-color: var(--bg-color-dark-z2); + border-radius: 8px; +} + +.fake-focus { + position: relative; + border: 1px solid #00ddff; +} + +.fake-focus::after { + content: ""; + border: 3px solid #205866; + position: absolute; + width: 100%; + height: 100%; + left: -3px; + border-radius: 10px; + z-index: -1; +} + +.search-wrapper img { + width: 24px; + height: 24px; + margin: 0px 14px; +} + +.search-wrapper form { + width: 100%; + height: 100%; +} + +.search-wrapper input { + all: unset; + width: 100%; + height: 100%; + color: var(--text-color-dark); +} + +.search-wrapper input::placeholder { + color: var(--text-color-placeholder); +} + +#body { + display: flex; + justify-content: space-around; + overflow: hidden; + max-width: 1250px; + margin: auto; +} + +section, +aside { + display: flex; + flex-direction: column; + overflow: auto; + scrollbar-color: var(--bg-color-dark-z2) var(--bg-color-dark-z1); + scrollbar-width: thin; +} + +.section-wrapper, +.aside-wrapper { + margin: 16px; + display: flex; + flex-direction: column; + background-color: var(--bg-color-dark-z1); + border-radius: 8px; +} + +.section-wrapper h1, +.aside-wrapper h1 { + margin: 16px 0px 0px 16px; + color: var(--text-color-dark); +} + +.links-wrapper { + display: flex; + flex-wrap: wrap; + margin: 16px; +} + +.links-wrapper a { + display: flex; + flex-direction: column; + align-items: center; + justify-content: space-around; + text-decoration: none; +} + +.link-wrapper-inner { + padding: 16px; + display: flex; + flex-direction: column; + align-items: center; + border-radius: 8px; +} + +.link-wrapper-inner:hover { + background-color: #0005; +} + +.links-wrapper a img { + width: 48px; + height: 48px; + padding: 16px; + background-color: var(--bg-color-dark-z2); + border-radius: 8px; +} + +.link-wrapper-inner p { + margin-bottom: 0; + color: var(--text-color-dark); +} + +aside { + width: 400px; + min-width: 400px; +} + +.cve-wrapper { + margin: 16px; + padding: 16px; + background-color: var(--bg-color-dark-z2); + border-radius: 8px; + color: var(--text-color-dark); +} + +aside h1 { + margin: 16px 0 0 16px; +} + +.cve-header { + display: flex; + margin: 0 0 6px 0; + align-items: center; +} + +.cve-severity { + font-weight: 900; + background-color: #f00a; + display: flex; + align-items: center; + padding: 10px; + border-radius: 8px; + color: var(--text-color-light); + height: 30px; +} + +.cve-title-wrapper { + margin: 0 7px; +} + +.cve-title { + font-weight: 500; + font-size: 1.2em; +} + +.cve-title a { + color: var(--text-color-dark); +} + +.cve-title a:visited { + color: #00ddff; +} + +.cve-published { + font-weight: 100; + font-size: 0.9em; +} + +.cve-description { + font-size: 1em; + text-align: justify; + text-justify: inter-word; +} + +footer { + width: 100%; + height: 30px; +} diff --git a/index.html b/index.html new file mode 100644 index 0000000..9d86892 --- /dev/null +++ b/index.html @@ -0,0 +1,34 @@ + + + + + + + + + + + + +
+
+ +
+ +
+
+
+
+
+ dashboard +
+ +
+ + + diff --git a/js/main.js b/js/main.js new file mode 100644 index 0000000..e3883e2 --- /dev/null +++ b/js/main.js @@ -0,0 +1,114 @@ +console.log("main.js loaded"); + +document.addEventListener("DOMContentLoaded", () => { + console.log("dom loaded"); + fakeFocus(); + getConfig(); + getCVE(); +}); + +function fakeFocus() { + document.querySelector("input").addEventListener("focus", () => { + document.querySelector(".search-wrapper").classList.add("fake-focus"); + }); + document.querySelector("input").addEventListener("focusout", () => { + document.querySelector(".search-wrapper").classList.remove("fake-focus"); + }); +} + +async function getConfig() { + const CONFIG = "../assets/config.json"; + try { + const response = await fetch(CONFIG); + if (!response.ok) { + throw new Error(`Failed to fetch ${CONFIG}`); + } + const container = document.querySelector("section"); + container.innerHTML = ""; + const config = await response.json(); + config.forEach((element) => { + const div = document.createElement("div"); + div.classList.add("section-wrapper"); + div.innerHTML += `

${element.name}

`; + const div2 = document.createElement("div"); + div2.classList.add("links-wrapper"); + element.content.forEach((e) => { + div2.innerHTML += ` + +
+ +

${e.name}

+
+ + `; + }); + div.appendChild(div2); + container.appendChild(div); + }); + } catch (error) { + console.error("Error fetching or parsing config file:", error); + document.querySelector("section").innerHTML = + `Failed to load config file. Please debug this fu***** dashboard : ${error}`; + } +} + +async function getCVE() { + const RSS_URL = "./latest.xml"; + try { + // Fetch xml RSS feed + const response = await fetch(RSS_URL); + if (!response.ok) { + throw new Error("Failed to fetch RSS feed"); + } + const rssText = await response.text(); + // Parse xml file and extract items in an array + const parser = new DOMParser(); + const xml = parser.parseFromString(rssText, "application/xml"); + const items = xml.querySelectorAll("item"); + // clear cve div content + const cveDiv = document.querySelector(".aside-wrapper"); + cveDiv.innerHTML = ""; + cveDiv.innerHTML += `

Latest CVE

`; + // Loop items and extrat infos for each CVE + items.forEach((item) => { + const title = item.querySelector("title").textContent; + const link = item.querySelector("link").textContent; + const description = item + .querySelector("description") + .textContent.replace(/\r?\n|\r/g, " ") + .replace(/
/g, "\n"); + console.log(description); + const parsedDescription = description.match( + /Description : <\/strong>(.*)/, + )[1]; + const parsedPublished = description.match( + /Published : <\/strong>(.*)/, + )[1]; + const parsedSeverity = description.match( + /Severity:<\/strong> (.*) \|/, + )[1]; + colorHue = -12 * parseFloat(parsedSeverity) + 120; + console.log(colorHue); + cveDiv.innerHTML += ` +
+
+
${parsedSeverity}
+
+
+ ${title} +
+
${parsedPublished}
+
+
+
+ ${parsedDescription} +
+
+ `; + }); + } catch (error) { + console.error("Error fetching or parsing RSS feed:", error); + document.querySelector("#cve").innerHTML = + "Failed to load RSS feed. Please try again later."; + } +} diff --git a/latest.xml b/latest.xml new file mode 100644 index 0000000..9093d23 --- /dev/null +++ b/latest.xml @@ -0,0 +1,296 @@ + +Latest Vulnerabilitieshttps://cvefeed.io/vuln/latest/Updates on the latest vulnerabilities detected.en-usThu, 12 Dec 2024 14:15:22 +0000CVE-2024-50584 - Apache Solr Blind SQL Injectionhttps://cvefeed.io/vuln/detail/CVE-2024-50584 +<strong>CVE ID : </strong>CVE-2024-50584 +<br> +<strong>Published : </strong> Dec. 12, 2024, 2:15 p.m. | 1 hour, 10 minutes ago +<br> +<strong>Description : </strong>An authenticated attacker with the user/role "Poweruser" can perform an SQL injection by accessing the /class/template_io.php file and supplying malicious GET parameters. The "templates" parameter is vulnerable against blind boolean-based SQL injection attacks. SQL syntax must be injected into the JSON syntax of the templates parameter. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 14:15:22 +0000https://cvefeed.io/vuln/detail/CVE-2024-50584CVE-2024-28146 - Cisco Hard-Coded Credentials Exposurehttps://cvefeed.io/vuln/detail/CVE-2024-28146 +<strong>CVE ID : </strong>CVE-2024-28146 +<br> +<strong>Published : </strong> Dec. 12, 2024, 2:15 p.m. | 1 hour, 10 minutes ago +<br> +<strong>Description : </strong>The application uses several hard-coded credentials to encrypt config files during backup, to decrypt the new firmware during an update and some passwords allow a direct connection to the database server of the affected device. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 14:15:22 +0000https://cvefeed.io/vuln/detail/CVE-2024-28146CVE-2024-28145 - Apache HTTP Server SQL Injectionhttps://cvefeed.io/vuln/detail/CVE-2024-28145 +<strong>CVE ID : </strong>CVE-2024-28145 +<br> +<strong>Published : </strong> Dec. 12, 2024, 2:15 p.m. | 1 hour, 10 minutes ago +<br> +<strong>Description : </strong>An unauthenticated attacker can perform an SQL injection by accessing the /class/dbconnect.php file and supplying malicious GET parameters. The HTTP GET parameters search, table, field, and value are vulnerable. For example, one SQL injection can be performed on the parameter "field" with the UNION keyword. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 14:15:22 +0000https://cvefeed.io/vuln/detail/CVE-2024-28145CVE-2024-28144 - Apache Session Hijackinghttps://cvefeed.io/vuln/detail/CVE-2024-28144 +<strong>CVE ID : </strong>CVE-2024-28144 +<br> +<strong>Published : </strong> Dec. 12, 2024, 2:15 p.m. | 1 hour, 10 minutes ago +<br> +<strong>Description : </strong>An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 14:15:22 +0000https://cvefeed.io/vuln/detail/CVE-2024-28144CVE-2024-28143 - Apache HTTP Server Password Change Weaknesshttps://cvefeed.io/vuln/detail/CVE-2024-28143 +<strong>CVE ID : </strong>CVE-2024-28143 +<br> +<strong>Published : </strong> Dec. 12, 2024, 2:15 p.m. | 1 hour, 10 minutes ago +<br> +<strong>Description : </strong>The password change function at /cgi/admin.cgi does not require the current/old password, which makes the application vulnerable to account takeover. An attacker can use this to forcefully set a new password within the -rsetpass+-aaction+- parameter for a user without knowing the old password, e.g. by exploiting a CSRF issue. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 14:15:22 +0000https://cvefeed.io/vuln/detail/CVE-2024-28143CVE-2024-54122 - Apache Ability Concurrent Access Vulnhttps://cvefeed.io/vuln/detail/CVE-2024-54122 +<strong>CVE ID : </strong>CVE-2024-54122 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Concurrent variable access vulnerability in the ability module +Impact: Successful exploitation of this vulnerability may affect availability. +<br> +<strong>Severity:</strong> 6.2 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:11 +0000https://cvefeed.io/vuln/detail/CVE-2024-54122CVE-2024-54119 - Adobe UIExtension Cross-Process Screen Stack Buffer Overflow Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-54119 +<strong>CVE ID : </strong>CVE-2024-54119 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Cross-process screen stack vulnerability in the UIExtension module +Impact: Successful exploitation of this vulnerability may affect service confidentiality. +<br> +<strong>Severity:</strong> 6.2 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:11 +0000https://cvefeed.io/vuln/detail/CVE-2024-54119CVE-2024-54118 - Apache UIExtension Cross-Process Screen Stack Buffer Overflowhttps://cvefeed.io/vuln/detail/CVE-2024-54118 +<strong>CVE ID : </strong>CVE-2024-54118 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Cross-process screen stack vulnerability in the UIExtension module +Impact: Successful exploitation of this vulnerability may affect service confidentiality. +<br> +<strong>Severity:</strong> 6.2 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:11 +0000https://cvefeed.io/vuln/detail/CVE-2024-54118CVE-2024-47947 - Oracle Web Server Stored Cross-Site Scripting Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-47947 +<strong>CVE ID : </strong>CVE-2024-47947 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL + + + + + + + + + +https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre + +The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:10 +0000https://cvefeed.io/vuln/detail/CVE-2024-47947CVE-2024-36498 - Apache IBM Security AppScan Cross-Site Scriptinghttps://cvefeed.io/vuln/detail/CVE-2024-36498 +<strong>CVE ID : </strong>CVE-2024-36498 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "Edit Disclaimer Text" function of the configuration menu is vulnerable to stored XSS. Only the users Poweruser and Admin can use this function which is available at the URL + + + + + + + + + +https://$SCANNER/cgi/admin.cgi?-rdisclaimer+-apre + +The stored Javascript payload will be executed every time the ScanWizard is loaded, even in the Kiosk-mode browser. Version 7.40 implemented a fix, but it could be bypassed via URL-encoding the Javascript payload again. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:10 +0000https://cvefeed.io/vuln/detail/CVE-2024-36498CVE-2024-36494 - Citrix CGI Slogin Cross-Site Scripting (XSS)https://cvefeed.io/vuln/detail/CVE-2024-36494 +<strong>CVE ID : </strong>CVE-2024-36494 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The login page at /cgi/slogin.cgi suffers from XSS due to improper input filtering of the -tsetup+-uuser parameter, which can only be exploited if the target user is not already logged in. This makes it ideal for login form phishing attempts. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:10 +0000https://cvefeed.io/vuln/detail/CVE-2024-36494CVE-2024-28142 - Apache Struts Cross-Site Scripting (XSS) Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-28142 +<strong>CVE ID : </strong>CVE-2024-28142 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>Due to missing input sanitization, an attacker can perform cross-site-scripting attacks and run arbitrary Javascript in the browser of other users. The "File Name" page (/cgi/uset.cgi?-cfilename) in the User Settings menu improperly filters the "file name" and wildcard character input field. By exploiting the wildcard character feature, attackers are able to store arbitrary Javascript code which is being triggered if the page is viewed afterwards, e.g. by higher privileged users such as admins. + + + + + + + + + +This attack can even be performed without being logged in because the affected functions are not fully protected. Without logging in, only the file name parameter of the "Default" User can be changed. +<br> +<strong>Severity:</strong> 0.0 | NA +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:09 +0000https://cvefeed.io/vuln/detail/CVE-2024-28142CVE-2024-12271 - "360 Javascript Viewer Stored Cross-Site Scripting"https://cvefeed.io/vuln/detail/CVE-2024-12271 +<strong>CVE ID : </strong>CVE-2024-12271 +<br> +<strong>Published : </strong> Dec. 12, 2024, 1:15 p.m. | 2 hours, 10 minutes ago +<br> +<strong>Description : </strong>The 360 Javascript Viewer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ref’ parameter in all versions up to, and including, 1.7.29 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. +<br> +<strong>Severity:</strong> 4.4 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 13:15:07 +0000https://cvefeed.io/vuln/detail/CVE-2024-12271CVE-2024-9387 - GitLab Open Redirect Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-9387 +<strong>CVE ID : </strong>CVE-2024-9387 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>An issue was discovered in GitLab CE/EE affecting all versions from 11.8 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could potentially perform an open redirect against a given releases API endpoint. +<br> +<strong>Severity:</strong> 6.4 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:28 +0000https://cvefeed.io/vuln/detail/CVE-2024-9387CVE-2024-9367 - GitLab Template Parsing DoS Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-9367 +<strong>CVE ID : </strong>CVE-2024-9367 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>An issue was discovered in GitLab CE/EE affecting all versions starting from 13.9 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2, that allows an attacker to cause uncontrolled CPU consumption, potentially leading to a Denial of Service (DoS) condition while parsing templates to generate changelogs. +<br> +<strong>Severity:</strong> 4.3 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:28 +0000https://cvefeed.io/vuln/detail/CVE-2024-9367CVE-2024-8647 - GitLab CSRF Token Leakage Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-8647 +<strong>CVE ID : </strong>CVE-2024-8647 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>An issue was discovered in GitLab affecting all versions starting 15.2 to 17.4.6, 17.5 prior to 17.5.4, and 17.6 prior to 17.6.2. On self hosted installs, it was possible to leak the anti-CSRF-token to an external site while the Harbor integration was enabled. +<br> +<strong>Severity:</strong> 5.4 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:28 +0000https://cvefeed.io/vuln/detail/CVE-2024-8647CVE-2024-8233 - GitLab Diff File DDoS Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-8233 +<strong>CVE ID : </strong>CVE-2024-8233 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>An issue has been discovered in GitLab CE/EE affecting all versions from 9.4 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. An attacker could cause a denial of service with requests for diff files on a commit or merge request. +<br> +<strong>Severity:</strong> 7.5 | HIGH +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:28 +0000https://cvefeed.io/vuln/detail/CVE-2024-8233CVE-2024-8179 - GitLab Cross-Site Scripting (XSS)https://cvefeed.io/vuln/detail/CVE-2024-8179 +<strong>CVE ID : </strong>CVE-2024-8179 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>An issue has been discovered in GitLab CE/EE affecting all versions from 17.3 before 17.4.6, 17.5 before 17.5.4, and 17.6 before 17.6.2. Improper output encoding could lead to XSS if CSP is not enabled. +<br> +<strong>Severity:</strong> 5.4 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:27 +0000https://cvefeed.io/vuln/detail/CVE-2024-8179CVE-2024-54117 - Webroot UIExtension Cross-Process Screen Stack Information Disclosurehttps://cvefeed.io/vuln/detail/CVE-2024-54117 +<strong>CVE ID : </strong>CVE-2024-54117 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Cross-process screen stack vulnerability in the UIExtension module +Impact: Successful exploitation of this vulnerability may affect service confidentiality. +<br> +<strong>Severity:</strong> 6.2 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:27 +0000https://cvefeed.io/vuln/detail/CVE-2024-54117CVE-2024-54116 - "Kaltura M3U8 OOB Read Vulnerability"https://cvefeed.io/vuln/detail/CVE-2024-54116 +<strong>CVE ID : </strong>CVE-2024-54116 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Out-of-bounds read vulnerability in the M3U8 module +Impact: Successful exploitation of this vulnerability may cause features to perform abnormally. +<br> +<strong>Severity:</strong> 4.3 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:27 +0000https://cvefeed.io/vuln/detail/CVE-2024-54116CVE-2024-54115 - Apache DASH Out-of-bounds Read Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-54115 +<strong>CVE ID : </strong>CVE-2024-54115 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Out-of-bounds read vulnerability in the DASH module +Impact: Successful exploitation of this vulnerability will affect availability. +<br> +<strong>Severity:</strong> 4.3 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:27 +0000https://cvefeed.io/vuln/detail/CVE-2024-54115CVE-2024-54114 - FFmpeg DASH Out-of-Bounds Access Denial of Service Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-54114 +<strong>CVE ID : </strong>CVE-2024-54114 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Out-of-bounds access vulnerability in playback in the DASH module +Impact: Successful exploitation of this vulnerability will affect availability. +<br> +<strong>Severity:</strong> 4.4 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:27 +0000https://cvefeed.io/vuln/detail/CVE-2024-54114CVE-2024-54113 - Microsoft Print Module Energy Consumption Buffer Overflowhttps://cvefeed.io/vuln/detail/CVE-2024-54113 +<strong>CVE ID : </strong>CVE-2024-54113 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Process residence vulnerability in abnormal scenarios in the print module +Impact: Successful exploitation of this vulnerability may affect power consumption. +<br> +<strong>Severity:</strong> 6.5 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:27 +0000https://cvefeed.io/vuln/detail/CVE-2024-54113CVE-2024-54112 - Adobe Illustrator Cross-process Screen Stack Memory Corruption Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-54112 +<strong>CVE ID : </strong>CVE-2024-54112 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Cross-process screen stack vulnerability in the UIExtension module +Impact: Successful exploitation of this vulnerability may affect service confidentiality. +<br> +<strong>Severity:</strong> 5.5 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:26 +0000https://cvefeed.io/vuln/detail/CVE-2024-54112CVE-2024-54111 - Apple Image Decoding Module Read/Write Vulnerabilityhttps://cvefeed.io/vuln/detail/CVE-2024-54111 +<strong>CVE ID : </strong>CVE-2024-54111 +<br> +<strong>Published : </strong> Dec. 12, 2024, 12:15 p.m. | 3 hours, 10 minutes ago +<br> +<strong>Description : </strong>Read/Write vulnerability in the image decoding module +Impact: Successful exploitation of this vulnerability will affect availability. +<br> +<strong>Severity:</strong> 5.7 | MEDIUM +<br> +Visit the link for more details, such as CVSS details, affected products, timeline, and more... +Thu, 12 Dec 2024 12:15:26 +0000https://cvefeed.io/vuln/detail/CVE-2024-54111 \ No newline at end of file