ghsa

### Impact A user could type HTML into a field, including the field for the user's name, and then that HTML could be displayed on the screen as HTML. The HTML can also contain `<script>` tags allowing JavaScript to execute on the page. ### Patches The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched. ### Workarounds If upgrading is not possible, manually apply the changes of [4801ac7](https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa) and restart the server (e.g., by pressing Save on the Configuration screen). ### Credit The vulnerability was discovered by Riyush Ghimire (@richighimi). ### For more information If you have any questions or comments about this advisory: * Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues) * Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-2cspzjo9j-YyE7SrLmi5muAvnPv~Bz~A) * Email us at jhpy...

### Impact It is possible to create a URL that acts as an open redirect. ### Patches The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched. ### Workarounds If upgrading is not possible, manually apply the changes of [4801ac7](https://github.com/jhpyle/docassemble/commit/4801ac7ff7c90df00ac09523077930cdb6dea2aa) and restart the server (e.g., by pressing Save on the Configuration screen). ### Credit The vulnerability was discovered by Riyush Ghimire (@richighimi). ### For more information If you have any questions or comments about this advisory: * Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues) * Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-2cspzjo9j-YyE7SrLmi5muAvnPv~Bz~A) * Email us at [email protected]

### Impact The vulnerability allows attackers to gain unauthorized access to information on the system through URL manipulation. It affects versions 1.4.53 to 1.4.96. ### Patches The vulnerability has been patched in version 1.4.97 of the master branch. The Docker image on docker.io has been patched. ### Workarounds If upgrading is not possible, manually apply the changes of [97f77dc](https://github.com/jhpyle/docassemble/commit/97f77dc486a26a22ba804765bfd7058aabd600c9) and restart the server. ### Credit The vulnerability was discovered by Riyush Ghimire (@richighimi). ### For more information If you have any questions or comments about this advisory: * Open an issue in [docassemble](https://github.com/jhpyle/docassemble/issues) * Join the [Slack channel](https://join.slack.com/t/docassemble/shared_invite/zt-2cspzjo9j-YyE7SrLmi5muAvnPv~Bz~A) * Email us at [email protected]

### Impact The `Base64.encode` function encodes a `bytes` input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer. Although the `encode` function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios: - A `bytes memory` struct is allocated just after the input and the first bytes of it are non-zero. - The memory pointer is set to a non-empty memory location before allocating the input. Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker. ### Patches Upgrade to 5.0.2 or 4.9.6. ### References This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@rileyholterhus on X)

A Cross-Site Scripting vulnerability in Cockpit CMS affecting version 2.7.0. This vulnerability could allow an authenticated user to upload an infected PDF file and store a malicious JavaScript payload to be executed when the file is uploaded.

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, and 9.3.0 fail to sanitize the metadata on posts containing permalinks under specific conditions, which allows an authenticated attacker to access the contents of individual posts in channels they are not a member of.

Mattermost versions 8.1.x before 8.1.9, 9.2.x before 9.2.5, 9.3.0, and 9.4.x before 9.4.2 fail to limit the number of role names requested from the API, allowing an authenticated attacker to cause the server to run out of memory and crash by issuing an unusually large HTTP request.

A race condition in Mattermost versions 8.1.x before 8.1.9, and 9.4.x before 9.4.2 allows an authenticated attacker to gain unauthorized access to individual posts' contents via carefully timed post creation while another user deletes posts.

Apache Airflow, versions before 2.8.2, has a vulnerability that allows authenticated users to view DAG code and import errors of DAGs they do not have permission to view through the API and the UI. Users of Apache Airflow are recommended to upgrade to version 2.8.2 or newer to mitigate the risk associated with this vulnerability

Mattermost fails to check the "invite_guest" permission when inviting guests of other teams to a team, allowing a member with permissions to add other members but not to add guests to add a guest to a team as long as the guest was already a guest in another team of the server