ghsa

### Summary A security vulnerability has been identified in `go-gh` where an attacker-controlled GitHub Enterprise Server could result in executing arbitrary commands on a user's machine by replacing HTTP URLs provided by GitHub with local file paths for browsing. ### Details The GitHub CLI and CLI extensions allow users to transition from their terminal for a variety of use cases through the [`Browser` capability in `github.com/cli/go-gh/v2/pkg/browser`](https://github.com/cli/go-gh/blob/61bf393cf4aeea6d00a6251390f5f67f5b67e727/pkg/browser/browser.go): - Using the `-w, --web` flag, GitHub CLI users can view GitHub repositories, issues, pull requests, and more using their web browser - Using the `gh codespace` command set, GitHub CLI users can transition to Visual Studio Code to work with GitHub Codespaces This is done by using URLs provided through API responses from authenticated GitHub hosts when users execute `gh` commands. Prior to `2.12.1`, `Browser.Browse()` would attempt...

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly enforce access control restrictions for System Manager roles, allowing authenticated users with System Manager privileges to view team details they should not have access to via direct API requests to team endpoints, even when explicitly configured with 'No access' to Teams in the System Console.

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fails to properly invalidate personal access tokens upon user deactivation, allowing deactivated users to maintain full system access by exploiting access token validation flaws via continued usage of previously issued tokens.

Mattermost versions 10.7.x <= 10.7.0, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to properly enforce access controls for guest users accessing channel member information, allowing authenticated guest users to view metadata about members of public channels via the channel members API endpoint.

Mattermost versions 10.7.x <= 10.7.0, 10.6.x <= 10.6.2, 10.5.x <= 10.5.3, 9.11.x <= 9.11.12 fail to clear Google OAuth credentials when converting user accounts to bot accounts, allowing attackers to gain unauthorized access to bot accounts via the Google OAuth signup flow.

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

An authenticated malicious actor using specially crafted requests could bypass row level security configuration by injecting SQL into 'sqlExpression' fields. This allowed the execution of sub-queries to evade parsing defenses ultimately granting unauthorized access to data. This issue affects Apache Superset: before 4.1.2. Users are recommended to upgrade to version 4.1.2, which fixes the issue.

Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies.

An arbitrary file copy vulnerability in Gradio's flagging feature allows unauthenticated attackers to copy any readable file from the server's filesystem. While attackers can't read these copied files, they can cause DoS by copying large files (like /dev/urandom) to fill disk space. ### Description The flagging component doesn't properly validate file paths before copying files. Attackers can send specially crafted requests to the `/gradio_api/run/predict` endpoint to trigger these file copies. **Source**: User-controlled `path` parameter in the flagging functionality JSON payload **Sink**: `shutil.copy` operation in `FileData._copy_to_dir()` method The vulnerable code flow: 1. A JSON payload is sent to the `/gradio_api/run/predict` endpoint 2. The `path` field within `FileData` object can reference any file on the system 3. When processing this request, the `Component.flag()` method creates a `GradioDataModel` object 4. The `FileData._copy_to_dir()` method uses this path without ...

### Summary A permission verification flaw in Navidrome allows any authenticated regular user to bypass authorization checks and perform administrator-only transcoding configuration operations, including creating, modifying, and deleting transcoding settings. ### Details Navidrome supports transcoding functionality which, although disabled by default, should restrict configuration operations to administrators only. However, the application fails to properly validate whether a user has administrative privileges when handling transcoding configuration requests. The vulnerability exists in the API endpoints that manage transcoding settings. When a regular user sends requests to these endpoints, the application processes them without verifying if the user has administrative privileges, despite the JWT token clearly indicating the user is not an administrator (`"adm":false`). The affected endpoints include: - `POST /api/transcoding` (Create transcoding configuration) - `PUT /api/transcod...