Niklas Schilling

Researcher fromSEC Consult Vulnerability Lab
#5978of 53,635
45.3Total CVSS
Vulnerabilities · 6
Medium
3
High
3
PT-2024-20460
8.2
2024-02-01
Statamic · Statamic · CVE-2024-24570
**Name of the Vulnerable Software and Affected Versions** Statamic versions prior to 3.4.17 Statamic versions prior to 4.46.0 **Description** The issue allows HTML files crafted to look like jpg files to be uploaded, enabling cross-site scripting (XSS) attacks. This affects front-end forms with asset fields without mime type validation, asset fields in the control panel, and the asset browser in the control panel. If the XSS is crafted in a specific way, the "copy password reset link" feature can be exploited to gain access to a user's password reset token and their account. The authorized user must execute the XSS for the vulnerability to occur. **Recommendations** For versions prior to 3.4.17, update to version 3.4.17 or later to patch the XSS vulnerability and disable the copy password reset link functionality. For versions prior to 4.46.0, update to version 4.46.0 or later to patch the XSS vulnerability and disable the copy password reset link functionality.
PT-2023-5334
10
2023-08-29
Ptc · Ptc Codebeamer · CVE-2023-4296
**Name of the Vulnerable Software and Affected Versions** PTC Codebeamer (affected versions not specified) **Description** The issue exists due to inadequate protection of the web page structure in PTC Codebeamer, allowing a remote attacker to execute arbitrary code. If an attacker tricks an admin user into clicking on a malicious link, it may allow the attacker to inject arbitrary code to be executed in the browser on the target device. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.
PT-2022-27683
8.8
2022-12-07
Ilias · Ilias · CVE-2022-45915
**Name of the Vulnerable Software and Affected Versions** ILIAS versions prior to 7.16 **Description** The issue allows for OS Command Injection. **Recommendations** For versions prior to 7.16, update to version 7.16 or later to resolve the issue.
PT-2022-27684
5.4
2022-12-07
Ilias · Ilias · CVE-2022-45916
**Name of the Vulnerable Software and Affected Versions** ILIAS versions prior to 7.16 **Description** The issue allows for cross-site scripting (XSS), which is a type of attack where an attacker can inject malicious scripts into a website. **Recommendations** For versions prior to 7.16, update to version 7.16 or later to resolve the issue.
PT-2022-27685
6.5
2022-12-07
Ilias · Ilias · CVE-2022-45918
**Name of the Vulnerable Software and Affected Versions** ILIAS versions prior to 7.16 **Description** The issue allows for external control of file name or path. **Recommendations** For versions prior to 7.16, update to version 7.16 or later to resolve the issue.
PT-2022-7073
6.4
2022-09-30
Ilias · Ilias · CVE-2022-45917
**Name of the Vulnerable Software and Affected Versions** ILIAS versions prior to 7.16 **Description** The issue is related to an open redirect in the `shib logout.php` script, specifically with the handling of the `return` parameter. This could allow a remote attacker to redirect users to an arbitrary URL. **Recommendations** For versions prior to 7.16, update to version 7.16 or later to resolve the issue. As a temporary workaround, consider restricting access to the `shib logout.php` script to minimize the risk of exploitation. Avoid using the `return` parameter in the affected script until the issue is resolved.