ghsa

### Impact A vulnerability has been identified within Rancher Manager whereby applications installed via Rancher Manager Apps Catalog store their Helm values directly into the `Apps` Custom Resource Definition, resulting in any users with `GET` access to it to be able to read any sensitive information that are contained within the Apps’ values. Additionally, the same information leaks into auditing logs when the audit level is set to equal or above 2. Application charts without sensitive data are not affected by this vulnerability. This vulnerability impacts any Helm applications installed on a Rancher Manager cluster, regardless of it being installed via the Marketplace or using the helm cli. Please consult the associated [MITRE ATT&CK - Technique - Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068/) for further information about this category of attack. ### Patches Patched versions include Rancher Manager `2.9.5` and `2.8.10`. The fix ensures that al...

### Impact Password Pusher comes with a configurable rate limiter. In versions prior to [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), the rate limiter could be bypassed by forging proxy headers allowing bad actors to send unlimited traffic to the site potentially causing a denial of service. ### Patches In [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0), a fix was implemented to only authorize proxies on local IPs which resolves this issue. If you are running a remote proxy, please see [this documentation](https://docs.pwpush.com/docs/proxies/#trusted-proxies) on how to authorize the IP address of your remote proxy. ### Workarounds It is highly suggested to upgrade to at least [v1.49.0](https://github.com/pglombardo/PasswordPusher/releases/tag/v1.49.0) to mitigate this risk. If for some reason you cannot immediately upgrade, the alternative is that you can add rules to your proxy and/or firewall to not accept externa...

Name: ASA-2024-010: Mismatched bit-length in `sdk.Int` and `sdk.Dec` can lead to panic Component: Cosmos SDK / Math Criticality: High (Considerable Impact, and Possible Likelihood per [ACMv1.2](https://github.com/interchainio/security/blob/main/resources/CLASSIFICATION_MATRIX.md)) Affected versions: `cosmossdk.io/math` package versions <= `math/v1.3.0` Affected users: Chain Builders + Maintainers, Validators ### Impact The bit-length in `sdk.Int` and `sdk.Dec` are not aligned, which may present a possible panic condition when interacting with `Dec` types in an `Int` context. This issue was resolved by aligning the max size between the data types in the cosmossdk.io/math package. This issue impacts consumers of the cosmossdk.io/math, which includes popular modules including IBC-Go and tokenfactory (permissionless). If your chain interacts with APIs in the cosmossdk.io/math package, or utilizes a module that consumes this library, it is advised to update to the latest version at the ...

### Impact A vulnerability has been discovered in Steve API (Kubernetes API Translator) in which users can watch resources they are not allowed to access, when they have at least some generic permissions on the type. For example, a user who can get a single secret in a single namespace can get all secrets in every namespace. During a `watch` request for a single ID, the following occurs: - In the case of a watch request for a single resource, Steve API will return a partition with the requested resource in it. In other cases, it will check the user's access when constructing partitions. - When a watch request for a single resource is issued, instead of using a client which impersonates the user making the request, Steve API will use the admin client, which can read all resources. This allows any requester to see the contents of any object such as secret keys, signing certificates, API tokens. Please consult the associated [MITRE ATT&CK - Technique - Valid Accounts](https://attack.m...

A flaw was found in Moodle. When restricting access to a lesson activity with a password, certain passwords could be bypassed or less secure due to a loose comparison in the password-checking logic. This issue only affected passwords set to "magic hash" values.

A flaw was found in Moodle. Dynamic tables did not enforce capability checks, which resulted in users having the ability to retrieve information they did not have permission to access.

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to.

A flaw was found in Moodle. Additional checks were required to ensure users can only delete their OAuth2-linked accounts.

Unrestricted Upload of File with Dangerous Type, Improper Input Validation, Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in django CMS Association django Filer allows Input Data Manipulation, Stored XSS.This issue affects django Filer: from 3 before 3.3.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in django CMS Association django CMS Attributes Fields allows Stored XSS.This issue affects django CMS Attributes Fields: before 4.0.