Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-jfxw-6c5v-c42f: Pimcore Admin Classic Bundle Cross-site Scripting (XSS) in PDF previews

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. Proof of Concept Step 1. Go to /admin and login. Step 2. In Documents, go to home -> click on Sample Content -> click Document folder Step 3. Upload file PDF content XSS payload ### Patches Apply patches https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c.patch https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9.patch ### Workarounds Update to version 1.2.0 or apply patches manually https://github.com/pimcore/pimcore/commit/757375677dc83a44c6c22f26d97452cc5cda5d7c.patch https://github.com/pimcore/admin-ui-classic-bundle/commit/19fda2e86557c2ed4978316104de5ccdaa66d8b9.patch

ghsa
Open in Source
#xss#vulnerability#web#git#pdf#auth
GHSA-r9cm-pw9j-3fpx: Dolibarr Improper Input Validation vulnerability

Improper input validation in Dolibarr ERP CRM <= v18.0.1 fails to strip certain PHP code from user-supplied input when creating a Website, allowing an attacker to inject and evaluate arbitrary PHP code.

GHSA-48v2-596x-4jr9: Dolibarr Improper Input Validation vulnerability

Improper Access Control in Dolibarr ERP CRM <= v17.0.3 allows an unauthorized authenticated user to read a database table containing customer data

GHSA-jg7w-cxjv-98c2: `SPICEDB_DATASTORE_CONN_URI` is leaked when URI cannot be parsed in github.com/authzed/spicedb

When the provided datastore URI is malformed (e.g. by having a password which contains `:`) the full URI (including the provided password) is printed, so that the password is shown in the logs. Example output: ``` terminated with errors error="unable to create migration driver for postgres: parse \"postgres://spicedb:<PASSWORD IN PLAINTEXT>": invalid port \"<PASSWORD IN PLAINTEXT>\" after host" ```

GHSA-6f58-j323-6472: pimcore/admin-ui-classic-bundle Unverified Password Change

### Impact As old password can be set as new password , it is considered as password policy violation. Pimcore is not enforcing strict password policy which allow attacker to set old password as new password Proof of Concept 1. Go to Admin link 2. login and click on -> "User | My Profile". 3. Go to change password now put old password as new password and click save. ### Patches https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### Workarounds Update to version 1.2.0 or apply this patches manually https://github.com/pimcore/admin-ui-classic-bundle/commit/498ac77e54541177be27b0c710e387c47b3836ea.patch ### References https://huntr.com/bounties/b031199d-192a-46e5-8c02-f7284ad74021/

GHSA-wjcc-cq79-p63f: Possible Infinite Loop when PdfWriter(clone_from) is used with a PDF

### Impact An attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This infinite loop blocks the current process and can utilize a single core of the CPU by 100%. It does not affect memory usage. That is, for example, the case when the pypdf-user manipulates an incoming malicious PDF e.g. by merging it with another PDF or by adding annotations. ### Patches The issue was fixed with #2264 ### Workarounds If you cannot update your version of pypdf, you should modify `pypdf/generic/_data_structures.py` just like #2264 did.

GHSA-q78c-gwqw-jcmc: Kubernetes privilege escalation vulnerability

A security issue was discovered in Kubernetes where a user that can create pods on Windows nodes may be able to escalate to admin privileges on those nodes. Kubernetes clusters are only affected if they include Windows nodes.

GHSA-mr45-rx8q-wcm9: xkeys seal encryption used fixed key for all encryption

## Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The cryptographic key handling library, nkeys, recently gained support for encryption, not just for signing/authentication. This is used in nats-server 2.10 (Sep 2023) and newer for authentication callouts. ## Problem Description The nkeys library's "xkeys" encryption handling logic mistakenly passed an array by value into an internal function, where the function mutated that buffer to populate the encryption key to use. As a result, all encryption was actually to an all-zeros key. This affects encryption only, not signing. FIXME: FILL IN IMPACT ON NATS-SERVER AUTH CALLOUT SECURITY. ## Affected versions nkeys Go library: * 0.4.0 up to and including 0.4.5 * Fixed with nats-io/nkeys: 0.4.6 NATS Server: * 2.10.0 up to and including 2.10.3 * Fixed with nats-io/nats-server: 2.10.4 ## Solution Upgrade the nats-server...

GHSA-mp92-3jfm-3575: Synapse vulnerable to leak of remote user device information

### Impact Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. ### Patches System administrators are encouraged to upgrade to Synapse 1.95.1 as soon as possible. ### Workarounds The `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.

GHSA-j59v-hh4p-q92m: Pimcore Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0.