Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-9cgf-pxwq-2cpw: Stimulsoft Dashboard.JS Cross Site Scripting vulnerability

Cross Site Scripting vulnerability in Stimulsoft GmbH Stimulsoft Dashboard.JS before v.2024.1.2 allows a remote attacker to execute arbitrary code via a crafted payload to the ReportName field.

ghsa
Open in Source
#xss#vulnerability#nodejs#js#git
GHSA-qf9m-vfgh-m389: FastAPI Content-Type Header ReDoS

### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS This only applies when the app uses form data, parsed with `python-multipart`. ### Details A regular HTTP `Content-Type` header could look like: ``` Content-Type: text/html; charset=utf-8 ``` `python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74 A custom option could be made and sent to the server to break it wit...

GHSA-93gm-qmq6-w238: Starlette Content-Type Header ReDoS

### Summary When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS This only applies when the app uses form data, parsed with `python-multipart`. ### Details A regular HTTP `Content-Type` header could look like: ``` Content-Type: text/html; charset=utf-8 ``` `python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74 A custom option could be made and sent to the server to break it wit...

GHSA-mpwj-fcr6-x34c: Yarn untrusted search path vulnerability

An untrusted search path vulnerability was found in Yarn. When a victim runs certain Yarn commands in a directory with attacker-controlled content, malicious commands could be executed in unexpected ways.

GHSA-vh55-786g-wjwj: .NET Information Disclosure Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An information disclosure vulnerability exists in .NET Core 3.1 and .NET 6.0 that could lead to unauthorized access of privileged information. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.7 or earlier. * Any .NET Core 3.1 applicaiton running on .NET Core 3.1.27 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET. ### <a name=".NET Core 3.1"></a>.NET Core 3.1 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.Xml](http://system.security)| <=4.7.0| 4.7.1 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft....

GHSA-mf74-qq7w-6j7v: Zmarkdown Server-Side Request Forgery (SSRF) in remark-download-images

### Impact A major blind SSRF has been found in `remark-images-download`, which allowed for requests to be made to neighboring servers on local IP ranges. The issue came from a loose filtering of URLs inside the module. Imagine a server running on a private network `192.168.1.0/24`. A private service serving images is running on `192.168.1.2`, and is not expected to be accessed by users. A machine is running `remark-images-download` on the neighboring `192.168.1.3` host. An user enters the following Markdown: ```markdown ![](http://192.168.1.2/private-img.png) ``` The image is downloaded by the server and included inside the resulting document. Hence, the user has access to the private image. It has been corrected by preventing images downloads from local IP ranges, both in IPv4 and IPv6. To avoid malicious domain names, resolved local IPs from are also forbidden inside the module. This vulnerability impact is moderate, as it is can allow access to unexposed documents on the local...

GHSA-mq6v-w35g-3c97: Local File Inclusion vulnerability in zmarkdown

### Impact A minor Local File Inclusion vulnerability has been found in `zmarkdown`, which allowed for images with a known path on the host machine to be included inside a LaTeX document. To prevent it, a new option has been created that allow to replace invalid paths with a default image instead of linking the image on the host directly. `zmarkdown` has been updated to make this setting the default. Every user of `zmarkdown` is likely impacted, except if disabling LaTeX generation or images download. Here is an example of including an image from an invalid path: ```markdown ![](/tmp/img.png) ``` Will effectively redownload and include the image found at `/tmp/img.png`. ### Patches The vulnerability has been patched in version 10.1.3. If impacted, you should update to this version as soon as possible. ### Workarounds Disable images downloading, or sanitize paths. ### For more information If you have any questions or comments about this advisory, open an issue in [ZMarkdown](...

GHSA-29c2-65rj-h343: Nervos CKB Permit load cell data from memory

### Impact The faulty nodes will reject transactions which calls `load_cell_data` syscall but the input cell is still in the mempool. They also ban other nodes and cause the network separation. ### Patches 0.35.2, 0.36.1, 0.37.1, 0.38.2

GHSA-h4c3-5275-vrmg: Nervos CKB Pool does not remove the conflicting transactions from the statistics

### Impact There's a bug in the pool statistics that when conflicting transactions are removed from the pool, they are not subtracted from the statics. Finally, the transaction pool keeps full and reject all transactions. ### Patches 0.39.2 ### Workarounds Restart the CKB node.

GHSA-f56g-chqp-22m9: Use after free in libpulse-binding

### Overview Version 2.5.0 of the `libpulse-binding` Rust crate, released on the 22nd of December 2018, fixed a potential use-after-free issue with property list iteration due to a lack of a lifetime constraint tying the lifetime of a `proplist::Iterator` to the `Proplist` object for which it was created. This made it possible for users, without experiencing a compiler error/warning, to destroy the `Proplist` object before the iterator, thus destroying the underlying C object the iterator works upon, before the iterator may be finished with it. This advisory is being written retrospectively, having previously only been noted in the changelog. No CVE assignment was sought. This impacts all versions of the crate before 2.5.0 back to 1.0.5. Before version 1.0.5 the function that produces the iterator was broken to the point of being useless. ### Patches Users are required to update to version 2.5.0 or newer. Versions older than 2.5.0 have been yanked from crates.io as of the 22nd of...