ghsa

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

In Langchain through 0.0.155, prompt injection allows execution of arbitrary code against the SQL service provided by the chain.

In Langchain through 0.0.155, prompt injection allows an attacker to force the service to retrieve data from an arbitrary URL, essentially providing SSRF and potentially injecting content into downstream tasks.

### Summary It's possible to craft a malicious `pdm.lock` file that could allow e.g. an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. ### Details Project `foo` can be targeted by creating the project `foo-2` and uploading the file `foo-2-2.tar.gz` to pypi.org. PyPI will see this as project `foo-2` version `2`, while PDM will see this as project `foo` version `2-2`. The version must only be [parseable as a version](https://github.com/frostming/unearth/blob/eca170d9370ac5032f2e497ee9b1b63823d3fe0f/src/unearth/evaluator.py#L215-L229) (and the filename must be a prefix of the project name), but it's [not verified to match the version being installed](https://github.com/pdm-project/pdm/blob/45d1dfa47d4900c14a31b9bb761e4c46eb5c9442/src/pdm/models/candidates.py#L98-L99). (Version `2-2` is also not a valid [normalized version per PEP 440](https://peps.python.org/pep-0440/#post-release-spelling).) Matching the p...

Cross-Site Request Forgery (CSRF) in GitHub repository modoboa/modoboa prior to 2.2.2.

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

Cross-site Scripting (XSS) - DOM in GitHub repository modoboa/modoboa prior to 2.2.2.

### Impact This advisory is not describing a vulnerability in the Tauri code base itself but a commonly used misconfiguration which could lead to leaking of the private key and updater key password into bundled Tauri applications using the Vite frontend in a specific configuration. The Tauri documentation used an insecure example configuration in the [Vite guide](https://tauri.app/v1/guides/getting-started/setup/vite/) to showcase how to use Tauri together with Vite. Copying the following snippet `envPrefix: ['VITE_', 'TAURI_'],` from this guide into the `vite.config.ts` of a Tauri project leads to bundling the `TAURI_PRIVATE_KEY` and `TAURI_KEY_PASSWORD` into the Vite frontend code and therefore leaking this value to the released Tauri application. Using the `envPrefix: ['VITE_'],` or any other framework than Vite means you are not impacted by this advisory. ### Patches The documentation has been patched but as the root cause is not in Tauri itself the issue is not fixed by upd...

An issue in Fnando svg_optimizer v.0.2.6 allows a remote attacker to escalate privileges when optimizing untrusted SVG content.

All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.