ghsa

A prototype pollution in the lib.deep function of @ndhoule/defaults v2.0.1 allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

### Summary The better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability. ### Details The value of `error` URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81 ### PoC https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E  ### Impact An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser. Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an...

### Summary While pushing a file via postLocal method if user add javascript code in file parameter that codes can exe in v8go context. ### Details While posting a file via postLocal, any attacker will add javascript codes to file parameter. That parameter content pass to componentSignature method after some validation. After that componentSignature parameter concat with ssrStr parameter. <img width="1145" alt="image" src="https://github.com/user-attachments/assets/a08a3fe5-2fbd-4a05-b93c-2ad127e6ee81" /> Last part of compileSvelte function ssrStr parameter executed in v8go engine. <img width="754" alt="image" src="https://github.com/user-attachments/assets/4e622761-3324-48d6-8264-6dd6e09055af" /> This cause to any one who can post a file also can push javascript code and run it. Thanks to v8go we can't use all javascript metod, if there is no any vulnerability in v8go we can't escape sandbox and can't run dangerous command like opening socket etc. But we can create infinite loop ...

### Impact Recovering coordinators do not verify the seed provided by the recovering party. This allows an attacker to set up a coordinator with a manifest that passes validation, but with a secret seed controlled by the attacker. If network traffic is redirected from the legitimate coordinator to the attacker's coordinator, a workload owner is susceptible to impersonation if either * they `set` a new manifest and don't compare the root CA cert with the existing one (this is the default of the `contrast` CLI) or * they `verify` the coordinator and don't compare the root CA cert with a trusted reference. Under these circumstances, the attacker can: * Issue certificates that chain back to the attacker coordinator's root CA. * Recover arbitrary workload secrets of workloads deployed after the attack. This issue does **not** affect the following: * secrets of the legitimate coordinator (seed, workload secrets, CA) * integrity of workloads, even when used with the rogue coordinator...

The env option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.

**Product:** Mobile Security Framework (MobSF) **Version:** 4.3.0 **CWE-ID:** CWE-269: Improper Privilege Management **CVSS vector v.4.0:** 7.1 (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N) **CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) **Description:** MobSF has a functionality of dividing users by roles. This functionality is not efficient, because any registered user can get API Token with all privileges. **Impact:** Information Disclosure **Vulnerable component:** Code output component (`/source_code`) **Exploitation conditions:** authorized user **Mitigation:** Remove token output in the returned js-script **Researcher:** Egor Filatov (Positive Technologies) ## Research Researcher discovered zero-day vulnerability «Local Privilege Escalation» in Mobile Security Framework (MobSF). To reproduce the vulnerability follow the steps below. • A user with minimal privileges is required, so the administrator must create a user account <img width="215" al...

# Partial Denial of Service (DoS) **Product:** MobSF **Version:** < 4.3.1 **CWE-ID:** CWE-1287: Improper Validation of Specified Type of Input **CVSS vector v.4.0:** 7.1 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) **Description:** DoS in the Scans Results and iOS Dynamic Analyzer functionality **Impact:** Leveraging this vulnerability would make Scans Results and iOS Dynamic Analyzer pages unavailable. **Vulnerable component:** urls.py https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/MobSF/urls.py#L401 **Exploitation conditions:** A malicious application was uploaded to the MobSF. **Mitigation:** Check the uploaded bundle IDs against the regex. **Researcher: Oleg Surnin (Positive Technologies)** ## Research Researcher discovered zero-day vulnerability Partial Denial of Service (DoS) in MobSF in the Scans Results and iOS Dynamic Analyzer function...

**Product:** MobSF **Version:** < 4.3.1 **CWE-ID:** CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.4.0:** 8.5 (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N) **CVSS vector v.3.1:** 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) **Description:** Stored XSS in the iOS Dynamic Analyzer functionality. **Impact:** Leveraging this vulnerability would enable performing actions as users, including administrative users. **Vulnerable component:** `dynamic_analysis.html` https://github.com/MobSF/Mobile-Security-Framework-MobSF/blob/d1d3b7a9aeb1a8c8c7c229a3455b19ade9fa8fe0/mobsf/templates/dynamic_analysis/ios/dynamic_analysis.html#L406 **Exploitation conditions:** A malicious application was uploaded to the Correlium. **Mitigation:** Use `escapeHtml()` function on the `bundle` variable. **Researcher: Oleg Surnin (Positive Technologies)** ## Research Researcher discovered zero-day vulnerability Stored Cross-site Scripting (XSS) in ...

### Impact Using a specially crafted file, a user could potentially upload a file containing code that when executed could send arbitrary requests to the server. If that file was opened by an administrator, it could lead to escalation of privileges of the original submitter or other malicious actions. Users must have been registered to the site to exploit this vulnerability. ### Patches This vulnerability has been fixed in CKAN 2.10.7 and 2.11.2 ### Workarounds On versions prior to CKAN 2.10.7 and 2.11.2, site maintainers can restrict the file types supported for uploading using the [ckan.upload.user.mimetypes](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-user-mimetypes) / [ckan.upload.user.types](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-user-types) and [ckan.upload.group.mimetypes](https://docs.ckan.org/en/latest/maintaining/configuration.html#ckan-upload-group-mimetypes) / [ckan.upload.group.types](https://docs.ckan.or...

### Summary Remote Code Execution (RCE) is possible if an application uses certain GeoTools functionality to evaluate XPath expressions supplied by user input. ### Details The following methods pass XPath expressions to the `commons-jxpath` library which can execute arbitrary code and would be a security issue if the XPath expressions are provided by user input. * `org.geotools.appschema.util.XmlXpathUtilites.getXPathValues(NamespaceSupport, String, Document)` * `org.geotools.appschema.util.XmlXpathUtilites.countXPathNodes(NamespaceSupport, String, Document)` * `org.geotools.appschema.util.XmlXpathUtilites.getSingleXPathValue(NamespaceSupport, String, Document)` * `org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.get(Object, String, Class<T>)` * `org.geotools.data.complex.expression.FeaturePropertyAccessorFactory.FeaturePropertyAccessor.set(Object, String, Object, Class)` * `org.geotools.data.complex.expression.MapPropertyAccessorFactory.new...