ghsa

### Summary Open redirect vulnerability due to incorrect validation of input values when redirecting users after login. ### Details pyload is validating URLs via the `get_redirect_url` function when redirecting users at login.  The URL entered in the `next` variable goes through the `is_safe_url` function, where a lack of validation can redirect the user to an arbitrary domain.  The documentation in the urllib library shows that improper URLs are recognized as relative paths when using the `urlparse` function. (https://docs.python.org/3/...

File Upload vulnerability in MCMS 5.3.5 allows attackers to upload arbitrary files via crafted POST request to /ms/file/upload.do.

Boundary and Boundary Enterprise (“Boundary”) is vulnerable to session hijacking through TLS certificate tampering. An attacker with privileges to enumerate active or pending sessions, obtain a private key pertaining to a session, and obtain a valid trust on first use (TOFU) token may craft a TLS certificate to hijack an active session and gain access to the underlying service or application.

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the search bar component.

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

### Impact It is an issue when input HTML into the Tag name. The HTML is execute when the tag name is listed in the auto complete form. Only admin users are affected and only admin users can create tags. ### Patches _Has the problem been patched? What versions should users upgrade to?_ The problem is patched with Version 2.4.16 and 2.5.12. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Create a custom mutation observer ### References _Are there any links users can visit to find out more?_ Currently not. ### For more information _If you have any questions or comments about this advisory:_ - Open an issue in [sulu/sulu repository](https://github.com/sulu/sulu/issues) - Email us at [[email protected]](mailto:[email protected])

## Summary Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to [v2.12.5](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.12.5). libxml2 v2.12.5 addresses the following vulnerability: - CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.16.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ## Mitigation Upgrade to Nokogiri `>= 1.16.2`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.12.5` which will also addr...

### Summary Unsafe echo of filename in phpMyFAQ\phpmyfaq\admin\attachments.php leading to allow execute JavaScript code in client side (XSS) ### Details On that snippet code of rendering the file attachments from user tables ``` <?php foreach ($crumbs as $item) : ?> <tr id="attachment_<?= $item->id ?>" title="<?= $item->thema ?>"> <td><?= $item->id ?></td> <td><?= $item->filename ?></td> <td><?= $item->record_lang ?></td> <td><?= Utils::formatBytes($item->filesize) ?></td> <td><?= $item->mime_type ?></td> <td> ``` The data directly rendering with short hand echo without any sanitation first, its recommend to use existing class of `Strings::htmlentities` on use `phpMyFAQ\Strings;` ``` <td><?= Strings::htmlentities($item->filename); ?></td> <td><?= Strings::htmlentities($item->record_lang); ?></td> <td><?= Utils::formatBytes($item->filesize) ?></td> <td><?= Strings::htmlentities($item->mime_type); ?></td> ``` Propo...

### Summary The 'sharing FAQ' functionality allows any unauthenticated actor to misuse the phpMyFAQ application to send arbitrary emails to a large range of targets. ### Details The phpMyFAQ application has a functionality where anyone can share a FAQ item to others. The front-end of this functionality allows any phpMyFAQ articles to be shared with 5 email addresses. The application will then send these 5 emails. However, there are no controls over what link and content are shared. Furthermore, any unauthenticated actor can perform this action. There is a CAPTCHA in place, however the amount of people you email with a single request is not limited to 5 by the backend. An attacker can thus solve a single CAPTCHA and send thousands of emails at once. ### PoC We send the following form and capture the request.  We now change the body to contain 50 email addresses instead of j...