ASA-2019-00512 – Apache HTTP Server: Limited Cross-Site Scripting (XSS) in mod_proxy error page

A limited Cross-Site Scripting (XSS) issue was reported affecting the mod_proxy error page. An attacker could cause the link on the error page to be malformed and instead point to a page of their choice. This would only be exploitable where a server was set up with proxying enabled but was misconfigured in such a way that the Proxy Error page was displayed.

ASA-2019-00476 – GLPI: Stored Cross-Site Scripting (XSS) in the profile picture name

It has been discovered that GLPI does not sanitize the profile picture name which can be used to inject malicious HTML and JavaScript code inside the page. If an administrator access the profile, it can be used to interact with the GLPI instance with the administrator profile and perform sensitive actions such as add the low privileges account to the Super-Admin group.

ASA-2019-00455 – Squid: Multiple Cross-Site Scripting issues in cachemgr.cgi

Due to incorrect input handling Squid cachemgr.cgi tool is vulnerable to multiple Cross-Site Scripting attacks. This allows a malicious server to embed URLs in its content such that user credentials and other information can be extracted from a client or administrator with access to the Squid cachemgr.cgi tool URL.

ASA-2019-00441 – Mozilla Firefox: Character encoding XSS vulnerability

Some unicode characters are incorrectly treated as whitespace during the parsing of web content instead of triggering parsing errors. This allows malicious code to then be processed, evading cross-site scripting (XSS) filtering.

ASA-2019-00436 – Mozilla Firefox and Thunderbird: HTML parsing error can contribute to content XSS

Due to an error while parsing page content, it is possible for properly sanitized user input to be misinterpreted and lead to XSS hazards on web sites in certain circumstances.

ASA-2019-00418 – TYPO3: Arbitrary Code Execution and Cross-Site Scripting in Backend API

Backend API configuration using Page TSconfig is vulnerable to arbitrary code execution and cross-site scripting. TSconfig fields of page properties in backend forms can be used to inject malicious sequences. Field tsconfig_includes is vulnerable to directory traversal leading to same scenarios as having direct access to TSconfig settings. A valid backend user account having access to modify values for fields pages.TSconfig and pages.tsconfig_includes is needed in order to exploit this vulnerability.