Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-58v7-58c2-qwm9: phpMyFAQ Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

ghsa
Open in Source
#xss#vulnerability#git#php
GHSA-r657-3wqh-g2x9: Microweber uses hard coded credentials

Use of Hard-coded Credentials in GitHub repository microweber/microweber 1.3.4 and prior. A patch is available and anticipated to be part of version 2.0.

GHSA-j5ww-5xf4-hqm2: phpMyFAQ Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

GHSA-pp4w-g5p4-85p2: phpMyFAQ Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - DOM in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

GHSA-5jwv-m8h3-69cg: phpMyFaq Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

GHSA-qcjg-hvg6-hxcp: phpMyFAQ allows unrestricted file types in image field

Unrestricted Upload of File with Dangerous Type in GitHub repository thorsten/phpmyfaq prior to 3.1.18.

GHSA-7fh5-64p2-3v2j: PostCSS line return parsing error

An issue was discovered in PostCSS before 8.4.31. It affects linters using PostCSS to parse external Cascading Style Sheets (CSS). There may be `\r` discrepancies, as demonstrated by `@font-face{ font:(\r/*);}` in a rule.

GHSA-jm6m-4632-36hf: Composer Remote Code Execution vulnerability via web-accessible composer.phar

### Impact Users publishing a composer.phar to a public web-accessible server where the composer.phar can be executed as a php file may be impacted if PHP also has `register_argc_argv` enabled in php.ini. ### Patches 2.6.4, 2.2.22 and 1.10.27 patch this vulnerability. ### Workarounds Make sure `register_argc_argv` is disabled in php.ini, and avoid publishing composer.phar to the web as this really should not happen.

GHSA-hq58-p9mv-338c: CometBFT's default for `BlockParams.MaxBytes` consensus parameter may increase block times and affect consensus participation

## Amulet Security Advisory for CometBFT: ASA-2023-002 **Component**: CometBFT **Criticality:** Low **Affected versions:** All **Affected users:** Validators, Chain Builders + Maintainers # Summary A default configuration in CometBFT has been found to be large for common use cases, and may affect block times and consensus participation when fully utilized by chain participants. It is advised that chains consider their specific needs for their use case when setting the `BlockParams.MaxBytes` consensus parameter. Chains are encouraged to evaluate the impact of having proposed blocks with the maximum allowed block size, especially on bandwidth usage and block latency. Additionally, the `timeout_propose` parameter should be computed using the maximum allowed block size as a reference. This issue does not represent an actively exploitable vulnerability that would result in a direct loss of funds, however it may have a slight impact on block latency depending on a network’s topography. W...

GHSA-rhrv-645h-fjfh: Apache Avro Java SDK vulnerable to Improper Input Validation

When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which addresses this issue.