Source
ghsa
There is a possible Cross Site Scripting (XSS) vulnerability in the `content_security_policy` helper in Action Pack. Impact ------ Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input. Credits ------- Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
Cross-Site Request Forgery (CSRF) in Avenwu Whistle v.2.9.90 and before allows attackers to perform malicious API calls, resulting in the execution of arbitrary code on the victim's machine.
# CWA-2024-007 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.1.0, < 2.1.3 - wasmvm >= 2.0.0, < 2.0.4 - wasmvm < 1.5.5 - cosmwasm-vm >= 2.1.0, < 2.1.4 - cosmwasm-vm >= 2.0.0, < 2.0.7 - cosmwasm-vm < 1.5.8 **Patched versions:** - wasmvm 1.5.5, 2.0.4, 2.1.3 - cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 ## Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/16eabd681790508b13dac8e67f9e6e61045240ea - 2.0: https://github.com/CosmWasm/cosmwasm/commit/0e70bd83119b02f99a2c0397f0913e0803750fd9 - 2.1: https://github.com/CosmWasm/cosmwasm/commit/f5bf24f3acadca2892afd58cc3ce5fdeb932d492 ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1....
# CWA-2024-008 **Severity** Medium (Moderate + Likely)[^1] **Affected versions:** - wasmvm >= 2.1.0, < 2.1.3 - wasmvm >= 2.0.0, < 2.0.4 - wasmvm < 1.5.5 - cosmwasm-vm >= 2.1.0, < 2.1.4 - cosmwasm-vm >= 2.0.0, < 2.0.7 - cosmwasm-vm < 1.5.8 **Patched versions:** - wasmvm 1.5.5, 2.0.4, 2.1.3 - cosmwasm-vm 1.5.8, 2.0.7, 2.1.4 ## Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) ## Patch - 1.5: https://github.com/CosmWasm/cosmwasm/commit/edcdbc520d4f5521eed42de6e2869658278e91fd - 2.0: https://github.com/CosmWasm/cosmwasm/commit/f63429ca59eb44dd5d780c1572016581337091e4 - 2.1: https://github.com/CosmWasm/cosmwasm/commit/108e7dcbf9c21df0fa83f355ad3a7355d7f220cb ## Applying the patch The patch will be shipped in releases of wasmvm. You can update more or less as follows: 1. Check the current wasmvm version: `go list -m github.com/CosmWasm/wasmvm` 2. Bump the `github.com/CosmWasm/wasmvm` dependency in your go.mod to 1.5.5, 2.0.4, 2.1....
# CWA-2024-009 **Severity** Low (Marginal + Likely)[^1] **Affected versions:** - wasmd < 0.53.1 **Patched versions:** - wasmd 0.53.2 (please note that wasmd 0.53.1 is broken and must not be used) ## Description of the bug (Blank for now. We'll add more detail once chains had a chance to upgrade.) ## Mitigations Apart from upgrading, it is recommended to **not** open the gRPC and REST APIs of _validator_ nodes to the public internet. Use isolated and resource-constrained environments for running separate public RPC nodes instead. These can then easily be thrown away and replaced with new instances in case of problems. ## Applying the patch ### Official Wasmd patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm...
### Impact An attacker can write a malicious expression that escapes the sandbox to execute arbitrary code on the system. Example of vulnerable code: ```js const expressions = require("angular-expressions"); const result = expressions.compile("__proto__.constructor")({}, {}); // result should be undefined, however for versions <=1.4.2, it returns an object. ``` With a more complex (undisclosed) payload, one can get full access to Arbitrary code execution on the system. ### Patches The problem has been patched in version 1.4.3 of angular-expressions. ### Workarounds There is one workaround if it not possible for you to update : * Make sure that you use the compiled function with just one argument : ie this is not vulnerable : `const result = expressions.compile("__proto__.constructor")({});` : in this case you lose the feature of locals if you need it. ### Credits Credits go to [JorianWoltjer](https://github.com/JorianWoltjer) who has found the issue and reported it to ...
Nette Database through 3.2.4 allows SQL injection in certain situations involving an untrusted filter that is directly passed to the where method.
Versions of the package luigi before 3.6.0 are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip) due to improper destination file path validation in the _extract_packages_archive function.
Drupal core contains a potential PHP Object Injection vulnerability that (if combined with another exploit) could lead to Remote Code Execution. It is not directly exploitable. This issue is mitigated by the fact that in order for it to be exploitable, a separate vulnerability must be present to allow an attacker to pass unsafe input to `unserialize()`. There are no such known exploits in Drupal core. To help protect against this potential vulnerability, types have been added to properties in some of Drupal core's classes. If an application extends those classes, the same types may need to be specified on the subclass to avoid a `TypeError`. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.
Drupal's uniqueness checking for certain user fields is inconsistent depending on the database engine and its collation. As a result, a user may be able to register with the same email address as another user. This may lead to data integrity issues. This issue affects Drupal Core: from 8.0.0 before 10.2.11, from 10.3.0 before 10.3.9, from 11.0.0 before 11.0.8.