Faris Krivic

#19533of 53,638
13.4Total CVSS
Vulnerabilities · 3
Low
1
Medium
2
PT-2024-33248
4.3
2024-06-05
WordPress · Buddyboss Platform · CVE-2024-4886
**Name of the Vulnerable Software and Affected Versions** No specific software or versions are mentioned. **Description** The issue allows a user to comment on a private post by manipulating the ID included in the request. This is due to an Insecure Direct Object Reference (IDOR) vulnerability. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2023-29218
5.4
2023-11-29
October · October · CVE-2023-44383
**Name of the Vulnerable Software and Affected Versions** October versions prior to 3.5.2 **Description** A user with access to the media manager that stores SVG files could create a stored XSS attack against themselves and any other user with access to the media manager when SVG files are supported. The issue arises because SVG files are supported by default, which has led to mistaken vulnerability reports. **Recommendations** For versions prior to 3.5.2, consider removing the `svg` extension from the list of supported file types as a temporary workaround until the patch can be applied. Update to version 3.5.2, which includes an SVG sanitizer enabled by default for new installations. For existing sites, enable the SVG sanitizer in the config/media.php file by setting `'clean vectors' => true,`.
PT-2023-28355
3.7
2023-09-21
Zope · Zope · CVE-2023-42458
**Name of the Vulnerable Software and Affected Versions** Zope versions prior to 4.8.10 and 5.8.5 **Description** Zope is an open-source web application server with a stored cross site scripting vulnerability for SVG images. The vulnerability can be exploited when an attacker uploads an image and tricks a user into following a specially crafted link. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. **Recommendations** For Zope versions prior to 4.8.10, update to version 4.8.10 to resolve the issue. For Zope versions prior to 5.8.5, update to version 5.8.5 to resolve the issue. As a temporary workaround, make sure the `Add Documents, Images, and Files` permission is only assigned to trusted roles. By default, only the Manager has this permission.