ghsa

A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection. Acknowledgements: Special thanks toTheresa Henze for reporting this issue and helping us improve our security.

# Microsoft Security Advisory CVE-2024-21409 | .NET Elevation of Privilege Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 7.0 ,and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A use-after-free vulnerability exists in WPF which may result in Elevation of Privilege when viewing untrusted documents. This is a Windows only vulnerability. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/303 ## <a name="mitigation-factors"></a>Mitigation factors This vulnerability affects only WPF-based applications. ## <a name="affected-software"></a>Affected software * Any .NET 7.0 application running on .NET 6.0.28 or earlier. * Any .NET 7.0 application running on .NET 7.0.17 or earlier. * Any .NET 8.0 application running on .N...

Using particular inputs with `@solana/web3.js` will result in memory exhaustion (OOM). If you have a server, client, mobile, or desktop product that accepts untrusted input for use with `@solana/web3.js`, your application/service may crash, resulting in a loss of availability.

### Impact Failing webhooks logs are available when solution is not in debug mode. Those logs can contain information that is critical. ### Affected Versions Umbraco versions 13.0.0 - 13.1.1 ### Patches 13.1.1 ### Workarounds Disabling webhooks functionality.

### Impact _What kind of vulnerability is it? Who is impacted?_ Using the vesting module, a malicious attacker can create a new vesting account at a given address, before a contract is created on that address. Addresses of smart contracts deployed to the EVM are deterministic. Therefore, it would be possible for an attacker to front-run a contract creation and create a vesting account at that address. When an address has been initialized without any contract code deployed to it, it will not be possible to upload any afterwards. In the described attack, this would mean that a malicious actor could prevent smart contracts from being deployed correctly. In order to remediate this, an alternative user flow is being implemented for the vesting module: - only the account receiving the vesting funds will be able to create such an account by calling the `CreateClawbackVestingAccount` method and defining a funder address - vesting and lockup periods can then be created by that funder addres...

## Impact _What kind of vulnerability is it? Who is impacted?_ An attacker can use this bug to bypass the block gas limit and gas payment completely to perform a full Denial-of-Service against the chain. ## Disclosure Evmos versions below `v11.0.1` do not check for `MsgEthereumTx` messages that are nested under other messages. This allows a malicious actor to perform EVM transactions that do not meet the checks performed under `newEthAnteHandler`. This opens the possibility for the DOS of validators and consequently halt the chain through an infinite EVM execution. ### Additional details The attack scenario is as follows: 1. The attacker deploys a simple smart contract with an infinite loop to the chain. 2. The attacker calls the smart contract using an embedded transaction with an extremely high gas value (`uint64` max or similar). 3. Once the transaction is included in a block, nodes will try to execute the EVM transaction with almost infinite gas and get stuck. **This stops...

Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized. #### Acknowledgements: Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security.

Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:). Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission. #### Acknowledgements: Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.

Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication.

An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts.