[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 16 Mar 2023 11:21:51 +0200 (EET)
From: Giannis Christodoulakos <gchristodoulakos@...sus-labs.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2023-24278 - Reflected XSS vulnerabilities in Squidex
"/squid.svg" endpoint
Hello all,
Squidex, a "headless" open source CMS framework was found to have two reflected XSS vulnerabilities in the "/squid.svg" endpoint
affecting versions prior to 7.4.0. The vulnerabilities have been addressed in version 7.4.0 of the framework.
CVE-2023-24278 was assigned to these vulnerabilities by MITRE.
The vulnerabilities affect both authenticated and unauthenticated users and allow for
malicious JavaScript to be executed within victim user browsers. Moreover, the vulnerabilities
enable an attacker to collect the CMS authentication token from browser local storage
and it is therefore possible for the attacker to gain unauthorized access to a victim user's session.
More information about these issues is available here:
[ https://census-labs.com/news/2023/03/16/reflected-xss-vulnerabilities-in-squidex-squidsvg-endpoint/ | https://census-labs.com/news/2023/03/16/reflected-xss-vulnerabilities-in-squidex-squidsvg-endpoint/ ]
Best regards,
Ioannis Christodoulakos
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
