Path Traversal in GitHub repository gogs/gogs prior to 0.12.9.

@@ -12,38 +12,69 @@ import (  
func TestClean(t \*testing.T) { tests := \[\]struct { path string expVal string path string wantVal string }{ { path: "../../../readme.txt", expVal: "readme.txt", path: "../../../readme.txt", wantVal: "readme.txt", }, { path: "a/../../../readme.txt", expVal: "readme.txt", path: "a/../../../readme.txt", wantVal: "readme.txt", }, { path: "/../a/b/../c/../readme.txt", expVal: "a/readme.txt", path: "/../a/b/../c/../readme.txt", wantVal: "a/readme.txt", }, { path: "/a/readme.txt", expVal: "a/readme.txt", path: "/a/readme.txt", wantVal: "a/readme.txt", }, { path: "/", expVal: "", path: "/", wantVal: "", },  
{ path: "/a/b/c/readme.txt", expVal: "a/b/c/readme.txt", path: "/a/b/c/readme.txt", wantVal: "a/b/c/readme.txt", },  
// Windows-specific { path: \`..\\..\\..\\readme.txt\`, wantVal: "readme.txt", }, { path: \`a\\..\\..\\..\\readme.txt\`, wantVal: "readme.txt", }, { path: \`\\..\\a\\b\\..\\c\\..\\readme.txt\`, wantVal: "a/readme.txt", }, { path: \`\\a\\readme.txt\`, wantVal: "a/readme.txt", }, { path: \`..\\..\\..\\../README.md\`, wantVal: "README.md", }, { path: \`\\\`, wantVal: "", },  
{ path: \`\\a\\b\\c\\readme.txt\`, wantVal: \`a/b/c/readme.txt\`, }, } for \_, test := range tests { t.Run("", func(t \*testing.T) { assert.Equal(t, test.expVal, Clean(test.path)) t.Run(test.path, func(t \*testing.T) { assert.Equal(t, test.wantVal, Clean(test.path)) }) } }

CVE-2022-1992: pathutil: check both styles of `os.PathSeparator` (#7020) · gogs/gogs@2ca0142

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

@@ -120,6 +120,7 @@ $userName = Filter::filterVar($postData\['userName'\], FILTER\_UNSAFE\_RAW); $userRealName = Filter::filterVar($postData\['realName'\], FILTER\_UNSAFE\_RAW); $userEmail = Filter::filterVar($postData\['email'\], FILTER\_VALIDATE\_EMAIL); $automaticPassword = Filter::filterVar($postData\['automaticPassword'\], FILTER\_VALIDATE\_BOOLEAN); $userPassword = Filter::filterVar($postData\['password'\], FILTER\_UNSAFE\_RAW); $userPasswordConfirm = Filter::filterVar($postData\['passwordConfirm'\], FILTER\_UNSAFE\_RAW); $userIsSuperAdmin = Filter::filterVar($postData\['isSuperAdmin'\], FILTER\_VALIDATE\_BOOLEAN); @@ -138,6 +139,12 @@ if (is\_null($userEmail)) { $errorMessage\[\] = $PMF\_LANG\['ad\_user\_error\_noEmail'\]; } if (!$automaticPassword) { if (strlen($userPassword) <= 7 || strlen($userPasswordConfirm) <= 7) { $errorMessage\[\] = $PMF\_LANG\['ad\_passwd\_fail'\]; } }  
if (count($errorMessage) === 0) { if (!$newUser\->createUser($userName, $userPassword)) { $errorMessage\[\] = $newUser\->error(); @@ -204,6 +211,12 @@ exit(1); }  
if (strlen($newPassword) <= 7 || strlen($retypedPassword) <= 7) { $http\->setStatus(400); $http\->sendJsonWithHeaders(\['error' => $PMF\_LANG\['ad\_passwd\_fail'\]\]); exit(1); }  
$user\->getUserById($userId, true); $auth = new Auth($faqConfig); $authSource = $auth\->selectAuth($user\->getAuthSource('name'));

CVE-2023-0793: fix: added missing check on password length · thorsten/phpMyFAQ@00c0409

An issue in Cppcheck 2.12 dev allows a local attacker to execute arbitrary code via the removeContradiction parameter in token.cpp:1934.

CVE-2023-39070: cppcheck / Discussion / General Discussion: Heap UAF in lib/token.cpp:1934

In wlan service, there is a possible out of bounds read due to improper input validation. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07460540; Issue ID: ALPS07460540.

CVE-2023-20818: August 2023

Streamlit is a data oriented application development framework for python. Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information. An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file or overwrite existing files on the web-server. This issue has been resolved in version 1.11.1. Users are advised to upgrade. There are no known workarounds for this issue.

**Impact**

Users hosting Streamlit app(s) that use custom components are vulnerable to a directory traversal attack that could leak data from their web server file-system such as: server logs, world readable files, and potentially other sensitive information.

An attacker can craft a malicious URL with file paths and the streamlit server would process that URL and return the contents of that file.

**Patches**

On July 27th at 2:20PM PST we rolled out a patch in release 1.11.1. This patch ensures that any file operations are restricted only to the custom component directory and cannot traverse outside of that. We strongly recommend users upgrade to v1.11.1 as soon as possible. We have notified the Streamlit community and popular hosting providers about this issue so they can patch quickly. As a precautionary measure, we are also upgrading all users on Streamlit Cloud wherever possible. We continue to check other occurrences of this vulnerability and monitor potential exploits wherever we can.

Finally, as a general security practice, we recommend users review custom components for any malicious code before using them in their apps. Following security best practices such as running web servers with low privileges, firewalls, etc. for hosting your apps, helps in mitigating the severity of such exploits.

**Workarounds**

None.

**References**

*   https://docs.google.com/document/d/e/2PACX-1vRzF9K6gwv9KnQz---1pt0SdHMVt-CHuKMmdTH1uct7xPcK7vToP4FvYdI84aO6rGfCmrBSaViri0Nd/pub

**For more information**

If you have any questions or comments about this advisory:

*   Email us at security@streamlit.io

CVE-2022-35918

OpenSIPS is a Session Initiation Protocol (SIP) server implementation. Prior to versions 3.1.9 and 3.2.6, a malformed SIP message containing a large _Content-Length_ value and a specially crafted Request-URI causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using the `-m` flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred when shared memory was set to `2362` or higher. This issue is fixed in versions 3.1.9 and 3.2.6. The only workaround is to guarantee that the Content-Length value of input messages is never larger than `2147483647`.

**Package**

opensips (OpenSIPS Core)

**Affected versions**

<= 3.2.5, <= 3.1.8

**Patched versions**

3.1.9, 3.2.6

**Impact**

A malformed SIP message containing a large _Content-Length_ value and a specially crafted Request-URI  
causes a segmentation fault in OpenSIPS. This issue occurs when a large amount of shared memory using  
the -m flag was allocated to OpenSIPS, such as 10 GB of RAM. On the test system, this issue occurred  
when shared memory was set to 2362 or higher.

**Issue Description**

The problem occurred in the following code block:

    while (p<end && *p>='0' && *p<='9') {
        number = number*10 + (*p)-'0';
        if (number<0) {
            LM_ERR("number overflow at pos %d in len number [%.*s]\n",
                (int)(p-buffer),(int)(end-buffer), buffer);
            return 0;
        }
        size ++;
        p++;
    }
    

This code block incorrectly assumes that an integer overflow of the variable number is detected by  
checking if the value is less than zero. However, it was observed that this check returned false when  
compiled with optimizations, even though the value overflowed to a negative number.

**Workarounds**

The only workaround is to guarantee that the Content-Length value of input messages is never larger than 2147483647.

**Solutions and Recommendations**

This issue was fixed in commit 7cab422, which was tested and found to address the issue. For more info, refer to the Audit Document **section 3.1**.

**For more information**

If you have any questions or comments about this advisory:

*   Open an issue in the OpenSIPS GitHub
*   Email us at security@opensips.org

CVE-2023-28097: Vulnerability in the Content-Length Parser

The Path Sanity Check script of FreeCAD 0.19 is vulnerable to OS command injection, allowing an attacker to execute arbitrary commands via a crafted FCStd document.

![Dismiss Announcement](https://tracker.freecad.org/plugin_file.php?file=Announce/dismiss.png)

****⚠️ ATTENTION!!! ⚠️****

  
**(1)** First post to forum to verify issue  
**(2)** Link said thread to ticket and vice-a-versa  
**(3)** Use the most updated stable or development version  
**(4)** Post your **Help>About FreeCAD>Copy to clipboard** version info  
**(5)** Post a Step-By-Step explanation on how to recreate the issue  
**(6)** Upload an example file to demonstrate problem

**IMPORTANT: POST ONLY v0.20 BUG REPORTS**

*   Anonymous

Date Modified

Username

Field

Change

2021-12-23 15:48

eldstal

New Issue

2021-12-23 15:48

eldstal

Steps to Reproduce Updated

2021-12-23 15:56

eldstal

Tag Attached: security

2021-12-23 15:56

eldstal

Tag Attached: Path

2021-12-23 17:54

eldstal

Product Version

0.19 => 0.20

2021-12-28 22:36

chennes

Project

File formats => Path

2021-12-28 22:36

chennes

Category

Bug => General

2022-01-25 12:58

eldstal

Note Added: 0016287

CVE-2021-45845: 0004810: Security Vulnerability in PathSanity.py

The WP-Pro-Quiz WordPress plugin through 0.37 does not have CSRF check in place when deleting a quiz, which could allow an attacker to make a logged in admin delete arbitrary quiz on the blog

CVE-2020-36504: 0-days story 1: wp-pro-quiz

An Improper Validation of Integrity Check Value in Zscaler Client Connector on Windows allows an authenticated user to disable ZIA/ZPA by interrupting the service restart from Zscaler Diagnostics. This issue affects Client Connector: before 4.2.0.149.



Search

lenovo warranty check/lookup | check warranty status | lenovo support us