Allele Security Intelligence - Stored Cross-Site Scripting

ASA-2019-00476 – GLPI: Stored Cross-Site Scripting (XSS) in the profile picture name

Posted on July 30, 2019August 5, 2019 by Allele Security Intelligence in Alerts

It has been discovered that GLPI does not sanitize the profile picture name which can be used to inject malicious HTML and JavaScript code inside the page. If an administrator access the profile, it can be used to interact with the GLPI instance with the administrator profile and perform sensitive actions such as add the low privileges account to the Super-Admin group.

ASA-2019-00375 – MyBB: Stored Cross-Site Scripting (XSS) through video bbcode

Posted on June 22, 2019June 23, 2019 by Allele Security Intelligence in Alerts

There is a Stored Cross-Site Scripting (XSS) vulnerability that occured due to a parsing error in posts and private messages in MyBB 1.8.20 and prior versions.

ASA-2019-00201 – Magento: Stored Cross-Site Scripting (XSS) in the Admin panel through the product configurations section

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user with privileges to the Admin product configurations section can use a Stored Cross-Site Scripting (XSS) vulnerability to embed malicious code.

ASA-2019-00200 – Magento: Stored Cross-Site Scripting (XSS) in the Admin Catalog configuration section

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user with privileges to the Admin **Products** > **Catalog** configuration section can use a Stored Cross-Site Scripting (XSS) vulnerability to embed malicious code.

ASA-2019-00198 – Magento: Stored Cross-Site Scripting (XSS) in the admin panel via the Attribute Label for Media Attributes section

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user with administrative privileges can embed malicious code in the Attribute Label for Media Attributes section in the admin panel.

ASA-2019-00197 – Magento: Stored Cross-Site Scripting (XSS) vulnerability in the Admin through the Checkbox Custom Option Value field

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user with privileges to the Checkbox Custom Option Value field on the Admin can use a Stored Cross-Site Scripting (XSS) vulnerability to embed malicious code.

ASA-2019-00196 – Magento: Stored Cross-Site Scripting (XSS) vulnerability in the Admin configuration area

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user with privileges to the Admin **Stores** > **Attributes** > **Product ** configuration area can use a Stored Cross-Site Scripting (XSS) vulnerability to embed malicious code.

ASA-2019-00195 – Magento: Stored Cross-Site Scripting (XSS) in the Admin through B2B packages

Posted on April 16, 2019April 18, 2019 by Allele Security Intelligence in Alerts

An authenticated user with privileges to the B2B packages through an unsanitized URL parameter can use a Stored Cross-Site Scripting (xSS) vulnerability to embed malicious code.