ghsa

### Impact A vulnerability has been identified in Weave GitOps Terraform Controller which could allow an authenticated remote attacker to view sensitive information. This vulnerability stems from Weave GitOps Terraform Runners (`tf-runner`), where sensitive data is inadvertently printed - potentially revealing sensitive user data in their pod logs. In particular, functions `tfexec.ShowPlan`, `tfexec.ShowPlanRaw`, and `tfexec.Output` are implicated when the `tfexec` object set its `Stdout` and `Stderr` to be `os.Stdout` and `os.Stderr`. An unauthorized remote attacker could exploit this vulnerability by accessing these prints of sensitive information, which may contain configurations or tokens that could be used to gain unauthorized control or access to resources managed by the Terraform controller. A successful exploit could allow the attacker to utilize this sensitive data, potentially leading to unauthorized access or control of the system. ### Patches This vulnerability has bee...

### Summary A player sending a packet can cause the server to crash by providing incorrect sign data in NBT in `BlockActorDataPacket`. ### Details This vulnerability was discovered using the `BlockActorDataPacket`, but other packets may also be affected. The player would seem to just need to send an NBT with an incorrect type to throw this error. ``` [Server thread/CRITICAL]: pocketmine\nbt\UnexpectedTagTypeException: "Expected a tag of type pocketmine\nbt\tag\CompoundTag, got pocketmine\nbt\tag\ByteTag" (EXCEPTION) in "pmsrc/vendor/pocketmine/nbt/src/tag/CompoundTag" at line 107 --- Stack trace --- #0 pmsrc/src/network/mcpe/handler/InGamePacketHandler(751): pocketmine\nbt\tag\CompoundTag->getCompoundTag(string[9] FrontText) #1 pmsrc/vendor/pocketmine/bedrock-protocol/src/BlockActorDataPacket(50): pocketmine\network\mcpe\handler\InGamePacketHandler->handleBlockActorData(object pocketmine\network\mcpe\protocol\BlockActorDataPacket#220241) #2 pmsrc/src/network/mcpe/NetworkSession...

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

SQL Injection in GitHub repository pimcore/pimcore prior to 10.5.24.

webmention.js prior to 0.5.5 is vulnerable to cross-site scripting.

Thymeleaf through 3.1.1.RELEASE, as used in spring-boot-admin (aka Spring Boot Admin) through 3.1.1 and other products, allows sandbox bypass via crafted HTML. This may be relevant for SSTI (Server Side Template Injection) and code execution in spring-boot-admin if MailNotifier is enabled and there is write access to environment variables via the UI.

Improper Encoding or Escaping of Output in GitHub repository froxlor/froxlor prior to 2.0.21.

### Impact Authorized clients, having an `inject_processor` secret, could brute-force the secret token value by abusing the `fmt` parameter to the `Proxy-Tokenizer` header. ### Patches This was fixed in https://github.com/superfly/tokenizer/pull/8 and further mitigated in https://github.com/superfly/tokenizer/pull/9.

A cross-site scripting (XSS) vulnerability in ImpressCMS v1.4.5 and before allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the `smile_code` parameter of the component `/editprofile.php`.

### Impact When executing a relayed transaction, if the inner transaction failed, it would have increased the inner transaction's sender account nonce. This could have contributed to a limited DoS attack on a targeted account. The fix is a breaking change so a new flag `RelayedNonceFixEnableEpoch` was needed. This was a strict processing issue while validating blocks on a chain. ### Patches v1.4.17 and later versions contain the fix for this issue ### Workarounds there were no workarounds for this issue. The affected account could only wait for the DoS attack to finish as the attack was not free or to attempt to send transactions in a very fast manner so as to compete on the same nonce with the attacker. ### References For the future understanding of this issue, on v1.4.17 and onwards versions, we have this integration test that addresses the issue and tests the fix. https://github.com/multiversx/mx-chain-go/blob/babdb144f1316ab6176bf3dbd7d4621120414d43/integrationTests/vm/txsFee/r...