Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-9q39-rmj3-p4r2: HTML injection in Jupyter Notebook and JupyterLab leading to DOM Clobbering

### Impact The vulnerability depends on user interaction by opening a malicious notebook with Markdown cells, or Markdown file using JupyterLab preview feature. A malicious user can access any data that the attacked user has access to as well as perform arbitrary requests acting as the attacked user. ### Patches JupyterLab v3.6.8, v4.2.5 and Jupyter Notebook v7.2.2 were patched. ### Workarounds There is no workaround for the underlying DOM Clobbering susceptibility. However, select plugins can be disabled on deployments which cannot update in a timely fashion to minimise the risk. These are: - `@jupyterlab/mathjax-extension:plugin` - users will loose ability to preview mathematical equations - `@jupyterlab/markdownviewer-extension:plugin` - users will loose ability to open Markdown previews - `@jupyterlab/mathjax2-extension:plugin` (if installed with optional `jupyterlab-mathjax2` package) - an older version of the mathjax plugin for JupyterLab 4.x To disable these extensions r...

ghsa
#vulnerability
GHSA-jm9m-rqr3-wfmh: Kirby has insufficient permission checks in the language settings

### TL;DR This vulnerability affects all Kirby sites with enabled `languages` option that might have potential attackers in the group of authenticated Panel users. If you have disabled the `languages` and/or `api` option and don't call any methods in your code that cause a write access to languages (language creation, update or deletion), your site is *not* affected. ---- ### Introduction Kirby allows to restrict the permissions of specific user roles. Users of that role can only perform permitted actions. Permissions for creating and deleting languages have already existed and could be configured, but were not enforced by Kirby's frontend or backend code. A permission for updating existing languages has not existed before the patched versions. So disabling the `languages.*` wildcard permission for a role could not have prohibited updates to existing language definitions. ### Impact The missing permission checks allowed attackers with Panel access to manipulate the language de...

GHSA-xp68-7g33-f49m: FeehiCMS User[avatar] unrestricted upload

A vulnerability was found in FeehiCMS up to 2.1.1 and classified as critical. This issue affects the function insert of the file /admin/index.php?r=user%2Fcreate. The manipulation of the argument User[avatar] leads to unrestricted upload. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-mg8j-w93w-xjgc: Drupal Full Path Disclosure

`core/authorize.php` in Drupal 11.x-dev allows Full Path Disclosure (even when error logging is None) if the value of `hash_salt` is `file_get_contents` of a file that does not exist.

GHSA-3wrg-6mg5-jg2v: FeehiCMS BannerForm[img] unrestricted upload

A vulnerability has been found in FeehiCMS up to 2.1.1 and classified as critical. This vulnerability affects the function createBanner of the file /admin/index.php?r=banner%2Fbanner-create. The manipulation of the argument BannerForm[img] leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-xxqw-83c7-r24r: FeehiCMS file upload vulnerability

A vulnerability, which was classified as critical, was found in FeehiCMS up to 2.1.1. This affects the function update of the file /admin/index.php?r=friendly-link%2Fupdate. The manipulation of the argument FriendlyLink[image] leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

GHSA-846m-99qv-67mg: Ollama can extract members of a ZIP archive outside of the parent directory

`extractFromZipFile` in `model.go` in Ollama before 0.1.47 can extract members of a ZIP archive outside of the parent directory.

GHSA-9jqr-5x45-pgw8: Powermail TYPO3 extension Broken Access Control in the OutputController

An issue was discovered in powermail extension through 12.3.5 for TYPO3. Several actions in the OutputController can directly be called, due to missing or insufficiently implemented access checks, resulting in Broken Access Control. Depending on the configuration of the Powermail Frontend plugins, an unauthenticated attacker can exploit this to edit, update, delete, or export data of persisted forms. This can only be exploited when the Powermail Frontend plugins are used. The fixed versions are 7.5.0, 8.5.0, 10.9.0, and 12.4.0.

GHSA-75qh-gg76-p2w4: CWA-2023-004: Excessive number of function parameters in compiled Wasm

A specifically crafted Wasm file can cause the VM to consume excessive amounts of memory when compiling a contract. This can lead to high memory usage, slowdowns, potentially a crash and can poison a lock in the VM, preventing any further interaction with contracts. For more information, see [CWA-2023-004](https://github.com/CosmWasm/advisories/blob/main/CWAs/CWA-2023-004.md).

GHSA-3fff-gqw3-vj86: Directus has an insecure object reference via PATH presets

### Impact Directus v10.13.0 allows an authenticated external attacker to modify presets created by the same user to assign them to another user. This is possible because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. When chained with [CVE-2024-6533](https://github.com/directus/directus/security/advisories/GHSA-9qrm-48qf-r2rw), it could result in account takeover. This vulnerability occurs because the application only validates the user parameter in the `POST /presets` request but not in the PATCH request. ### PoC To exploit this vulnerability, we need to do the follow steps using a non-administrative, default role attacker account. 1. Create a preset for a collection. Store the preset id, or use it if it already exists from `GET /presets`. The following example will use the direct_users preset. ```bash TARGET_HOST="http://localhost:8055" ATTACKER_EMAIL="[email protected]" ATTACKER_PASSWORD="123456" root_dir=$(...