ghsa

A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function `uploadFilesPath` of the component `File Upload`. The manipulation of the argument `originalFilenames` leads to cross site scripting. The attack may be launched remotely. VDB-235118 is the identifier assigned to this vulnerability.

Incorrect access control in the component `/models/Content` of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.

### Impact OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. ### Patches This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later ### Workarounds One should comment servlet `SAMLPOSTProfileServlet` in web.xml or disable SAML in OpenAM ```xml <servlet> <description>SAMLPOSTProfileServlet</description> <servlet-name>SAMLPOSTProfileServlet</servlet-name> <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class> </servlet> ... <servlet-mapping> <servlet-name>SAMLSOAPReceiver</servlet-name> <url-pattern>/SAMLSOAPReceiver</url-pattern> </servlet-mapping> ``` ### References #624

### Impact Feathers socket handler did not catch invalid string conversion errors like: ```ts const message = `${{ toString: '' }}` ``` Causing the NodeJS process to crash when sending an unexpected Socket.io message like ```ts socket.emit('find', { toString: '' }) ``` ### Patches A fix has been released in - `v5.0.8` via #3241 - `v4.5.18` via #3242 ### Workarounds Since it is in the core Socket handling code upgrading to the latest version is necessary. ### References - [v5.0.8 Changelog](https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19) - [v4.5.18 Changelog](https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19)

### Impact aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). ### Reproducer ```python from aiohttp import web async def example(request: web.Request): headers = dict(request.headers) body = await request.content.read() return web.Response(text=f"headers: {headers} body: {body}") app = web.Application() app.add_routes([web.post('/', example)]) web.run_app(app) ``` Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. ```console $ ...

### Summary The fix for SSTI using `|map`, `|filter` and `|reduce` twigs implemented in the commit [71bbed1](https://github.com/getgrav/grav/commit/71bbed12f950de8335006d7f91112263d8504f1b) introduces bypass of the denylist due to incorrect return value from `isDangerousFunction()`, which allows to execute the payload prepending double backslash (`\\`) ### Details The `isDangerousFunction()` check in version 1.7.42 and onwards retuns `false` value instead of `true` when the `\` symbol is found in the `$name`. ```php ... if (strpos($name, "\\") !== false) { return false; } if (in_array($name, $commandExecutionFunctions)) { return true; } ... ``` Based on the code where the function is used, it is expected that any dangerous condition would return `true` ```php /** * @param Environment $env * @param array $array * @param callable|string $arrow * @return array|CallbackFilterIterator * @throws RuntimeE...

The implementation of `FromMdbValue` has several unsoundness issues. First of all, it allows to reinterpret arbitrary bytes as a bool and could make undefined behavior happen with safe function. Secondly, it allows transmuting pointer without taking memory layout into consideration. The details of reproducing the bug are available [here](https://github.com/vhbit/lmdb-rs/issues/67).

### Impact In Hazelcast Platform, 5.0 through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, and Hazelcast IMDG (all versions up to 4.2.z), Executor Services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted. ### Patches Fix versions: 5.3.0, 5.2.4, 5.1.7, 5.0.5 ### Workarounds Users are only affected when they already use executor services (i.e., an instance exists as a distributed data structure).