GHSA-mqf3-qpc3-g26q: Silverstripe Framework has a Reflected Cross Site Scripting (XSS) in error message

GHSA-ff6q-3c9c-6cf5: Silverstripe Framework has a XSS in form messages

GHSA-7cmp-cgg8-4c82: Silverstripe Framework has a XSS via insert media remote file oembed

GHSA-m9c9-mc2h-9wjw: Lodestar snappy checksum issue

GHSA-53rv-hcvm-rpp9: Lodestar snappy decompression issue

An attacker can send a flood of CONTINUATION frames, causing `h2` to process them indefinitely. This results in an increase in CPU usage.

Tokio task budget helps prevent this from a complete denial-of-service, as the server can still respond to legitimate requests, albeit with increased latency.

More details at https://seanmonstar.com/blog/hyper-http2-continuation-flood/.

Patches available for 0.4.x and 0.3.x versions.


**h2 servers vulnerable to degradation of service with CONTINUATION Flood**

Moderate severity GitHub Reviewed Published Apr 5, 2024 to the GitHub Advisory Database • Updated Apr 5, 2024

Headline

GHSA-q6cp-qfwq-4gcv: h2 servers vulnerable to degradation of service with CONTINUATION Flood

ghsa: Latest News