Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-4jrx-5w4h-3gpm: Navidrome Parameter Tampering vulnerability

### Summary Parameter tampering is a vulnerability where an attacker has the ability to manipulate parameter values in the HTTP requests. ### Details The attacker is able to change the parameter values in the body and successfully impersonate another user. In this case, the attacker created a playlist, added song, posted arbitrary comment, set the playlist to be public, and put the admin as the owner of the playlist. ### Impact Each known user is impacted. An attacker can obtain the ownerId from shared playlist information, meaning every user who has shared a playlist is also impacted, as they can be impersonated.

ghsa
Open in Source
#vulnerability
GHSA-62qf-jcq8-8gxw: Duplicate Advisory: sqlparse parsing heavily nested list leads to Denial of Service

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2m57-hf25-phgg. This link is maintained to preserve external references. ## Original Description Passing a heavily nested list to sqlparse.parse() leads to a Denial of Service due to RecursionError.

GHSA-2cgq-h8xw-2v5j: CRI-O vulnerable to an arbitrary systemd property injection

### Impact On CRI-O, an arbitrary systemd property can be injected via a Pod annotation: ``` --- apiVersion: v1 kind: Pod metadata: name: poc-arbitrary-systemd-property-injection annotations: # I believe that ExecStart with an arbitrary command works here too, # but I haven't figured out how to marshalize the ExecStart struct to gvariant string. org.systemd.property.SuccessAction: "'poweroff-force'" spec: containers: - name: hello image: [quay.io/podman/hello](http://quay.io/podman/hello) ``` This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system. Tested with CRI-O v1.24 on minikube. Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations: https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536 CRI-O has to filter out annotations that have the prefix "org.systend.property." See also: - https://github.com...

GHSA-ghr5-ch3p-vcr6: ejs lacks certain pollution protection

The ejs (aka Embedded JavaScript templates) package before 3.1.10 for Node.js lacks certain pollution protection.

GHSA-5hcr-g32p-h74c: Lavalite CMS Cross Site Scripting vulnerability

Cross Site Scripting vulnerability in Lavalite CMS v.10.1.0 allows attackers to execute arbitrary code and obtain sensitive information via a crafted payload to the URL.

GHSA-q655-3pj8-9fxq: Sidekiq vulnerable to a Reflected XSS in Queues Web Page

### Description: During the source Code Review of the metrics.erb view of the Sidekiq Web UI, A reflected XSS vulnerability is discovered. The value of substr parameter is reflected in the response without any encoding, allowing an attacker to inject Javascript code into the response of the application. This vulnerability can be exploited to target the users of the application, and users of other applications deployed on the same domain or website as that of the Sidekiq website. Successful exploit results may result in compromise of user accounts and user data. ### Impact: The impact of this vulnerability can be severe. An attacker could exploit it to target users of the Sidekiq Web UI. Moreover, if other applications are deployed on the same domain or website as Sidekiq, users of those applications could also be affected, leading to a broader scope of compromise. Potentially compromising their accounts, forcing the users to perform sensitive actions, stealing sensitive data, perfor...

GHSA-9m6p-x4h2-6frq: Argo CD vulnerable to a Denial of Service via malicious jqPathExpressions in ignoreDifferences

### Impact DoS vuln via OOM using jq in ignoreDifferences. ``` ignoreDifferences: - group: apps kind: Deployment jqPathExpressions: - 'until(true == false; [.] + [1])' ``` ### Patches A patch for this vulnerability has been released in the following Argo CD versions: v2.10.8 v2.9.13 v2.8.17 ### For more information If you have any questions or comments about this advisory: Open an issue in [the Argo CD issue tracker](https://github.com/argoproj/argo-cd/issues) or [discussions](https://github.com/argoproj/argo-cd/discussions) Join us on [Slack](https://argoproj.github.io/community/join-slack) in channel #argo-cd Credits This vulnerability was found & reported by @crenshaw-dev (Michael Crenshaw) The Argo team would like to thank these contributors for their responsible disclosure and constructive communications during the resolve of this issue

GHSA-5fh7-7mw7-mmx5: Mattermost allows team admins to promote guests to team admins

Mattermost versions 9.6.0, 9.5.x before 9.5.3, and 8.1.x before 8.1.12 fail to fully validate role changes, which allows an attacker authenticated as a team admin to promote guests to team admins via crafted HTTP requests.

GHSA-p2wq-4ggp-45f3: Mattermost fails to limit the size of a request path

Mattermost versions 8.1.x <= 8.1.10, 9.6.x <= 9.6.0, 9.5.x <= 9.5.2 and 8.1.x <= 8.1.11 fail to limit the size of a request path that includes user inputs which allows an attacker to cause excessive resource consumption, possibly leading to a DoS via sending large request paths

GHSA-vx97-8q8q-qgq5: Mattermost's detailed error messages reveal the full file path

Mattermost versions 9.6.x <= 9.6.0, 9.5.x <= 9.5.2, 9.4.x <= 9.4.4 and 8.1.x <= 8.1.11 fail to remove detailed error messages in API requests even if the developer mode is off which allows an attacker to get information about the server such as the full path were files are stored