Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-frp2-5qfc-7r8m: request_store has Incorrect Default Permissions

### Impact The files published as part of request_store 1.3.2 have 0666 permissions, meaning that they are world-writable, which allows local users to execute arbitrary code. This version was published in 2017, and most production environments do not allow access for local users, so the chances of this being exploited are very low, given that the vast majority of users will have upgraded, and those that have not, if any, are not likely to be exposed. ### Patches I am not aware of any other version of the gem with incorrect permissions, so simply upgrading should fix the issue. ### Workarounds You could chmod the files yourself, I guess. ### References https://cwe.mitre.org/data/definitions/276.html

ghsa
GHSA-wq9x-qwcq-mmgf: Diesel vulnerable to Binary Protocol Misinterpretation caused by Truncating or Overflowing Casts

The following presentation at this year's DEF CON was brought to our attention on the Diesel Gitter Channel: > SQL Injection isn't Dead: Smuggling Queries at the Protocol Level > <http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf> > (Archive link for posterity.) Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow, causing the server to interpret the rest of the string as binary protocol commands or other data. It appears Diesel _does_ perform truncating casts in a way that could be problematic, for example: <https://github.com/diesel-rs/diesel/blob/ae82c4a5a133db65612b7436356f549bfecda1c7/diesel/src/pg/connection/stmt/mod.rs#L36> This code has existed essentially since the beginning, so it is reasonable to assume that all published versio...

#sql#web#git#pdf
GHSA-45rp-q25w-4426: pretix Stored Cross-site Scripting vulnerability

Stored XSS in organizer and event settings of pretix up to 2024.7.0 allows malicious event organizers to inject HTML tags into e-mail previews on settings page. The default Content Security Policy of pretix prevents execution of attacker-provided scripts, making exploitation unlikely. However, combined with a CSP bypass (which is not currently known) the vulnerability could be used to impersonate other organizers or staff users.

GHSA-7cj3-x93g-gj76: Signature forgery in Spring Boot's Loader

Applications that use spring-boot-loader or spring-boot-loader-classic and contain custom code that performs signature verification of nested jar files may be vulnerable to signature forgery where content that appears to have been signed by one signer has, in fact, been signed by another.

GHSA-869f-px86-vj84: Mattermost Plugin Channel Export excessive resource consumption

Mattermost Plugin Channel Export versions <=1.0.0 fail to restrict concurrent runs of the /export command which allows a user to consume excessive resource by running the /export command multiple times at once.

GHSA-fxc2-8m62-m85x: LlamaIndex includes an exec call for `import {cls_name}`

An issue was discovered in llama_index before 0.10.38. `download/integration.py` includes an exec call for `import {cls_name}`.

GHSA-fxq9-6946-34q7: Mattermost allows user with systems manager role with read-only access to teams to perform write operations on teams

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.x <= 9.10.0, 9.8.x <= 9.8.2 fail to properly enforce permissions which allows a user with systems manager role with read-only access to teams to perform write operations on teams.

GHSA-2jhx-w3vc-w59g: Mattermost allows guest user with read access to upload files to a channel

Mattermost versions 9.9.x <= 9.9.1, 9.5.x <= 9.5.7, 9.10.0, 9.8.x <= 9.8.2 fail to enforce permissions which allows a guest user with read access to upload files to a channel.

GHSA-3j95-8g47-fpwh: Mattermost allows team admin user without "Add Team Members" permission to disable invite URL

Mattermost versions 9.5.x <= 9.5.7, 9.10.x <= 9.10.0 fail to properly enforce permissions which allows a team admin user without "Add Team Members" permission to disable the invite URL.

GHSA-p4fx-qf2h-jpmj: memos CORS Misconfiguration in server.go (GHSL-2024-034)

memos is a privacy-first, lightweight note-taking service. A CORS misconfiguration exists in memos 0.20.1 and earlier where an arbitrary origin is reflected with Access-Control-Allow-Credentials set to true. This may allow an attacking website to make a cross-origin request, allowing the attacker to read private information or make privileged changes to the system as the vulnerable user account.