ghsa

# Server-Side Template Injection ## Overview of the Vulnerability Server-Side Template Injection (SSTI) is a vulnerability within application templating engines where user input is improperly handled and is embedded into the template, possibly leading code being executed. An attacker can use SSTI to execute code on the underlying system by manipulating values within the embedded template. When code is executed within the underlying system, it can allow an attacker to run permissioned commands under the exploited process, or exploit Cross-Site Scripting (XSS) to run code within the user's browser. ## Business Impact SSTI can lead to reputational damage for the business due to a loss in confidence and trust by users. If an attacker successfully executes code within the underlying system, it can result in data theft and indirect financial losses. ## Steps to Reproduce 1. [Sign up](https://fief.fief.dev/register) and login to your account 1. Use a browser to navigate to: email-templ...

### Summary A configuration injection happens when user input is considered by the application in an unsanitized format and can reach the configuration file. A malicious user may craft a special payload that may lead to a command injection. ### PoC The vulnerable code snippet is [/jcvi/apps/base.py#LL2227C1-L2228C41](https://github.com/tanghaibao/jcvi/blob/cede6c65c8e7603cb266bc3395ac8f915ea9eac7/jcvi/apps/base.py#LL2227C1-L2228C41). Under some circumstances a user input is retrieved and stored within the `fullpath` variable which reaches the configuration file `~/.jcvirc`. ```python fullpath = input(msg).strip() config.set(PATH, name, fullpath) ``` I ripped a part of the codebase into a runnable PoC as follows. All the PoC does is call the `getpath()` function under some circumstances. ```python from configparser import ( ConfigParser, RawConfigParser, NoOptionError, NoSectionError, ParsingError, ) import errno import os import sys import os.p...

### Impact A denial of service vulnerability exists in YARP. ### Patches If you're using YARP 1.x, you should update to NuGet package version [1.1.2](https://www.nuget.org/packages/Yarp.ReverseProxy/1.1.2). If you're using YARP 2.0.0, you should update to NuGet package version [2.0.1](https://www.nuget.org/packages/Yarp.ReverseProxy/2.0.1). You can do so by updating the `PackageReference` in your `.csproj` file ```diff <ItemGroup> - <PackageReference Include="Yarp.ReverseProxy" Version="2.0.0" /> - <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.0" /> + <PackageReference Include="Yarp.ReverseProxy" Version="2.0.1" /> + <PackageReference Include="Yarp.Telemetry.Consumption" Version="2.0.1" /> </ItemGroup> ``` or by selecting `2.0.1` in the NuGet UI inside Visual Studio (`Manage NuGet Packages` / `Updates`) ### References [CVE-2023-33141](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33141)

Admidio prior to 4.2.9 is vulnerable to Improper Access Control.

Admidio prior to 4.2.9 is vulnerable to Improper Access Control.

Admidio prior to 4.2.9 is vulnerable toImproper Neutralization of Formula Elements in a CSV File.

Command injection vulnerability in RaspAP raspap-webgui 2.8.8 and earlier allows remote attackers to run arbitrary commands via crafted POST request to hostapd settings form.

A REST interface in Apache StreamPipes (versions 0.69.0 to 0.91.0) was not properly restricted to admin-only access. This allowed a non-admin user with valid login credentials to elevate privileges beyond the initially assigned roles. The issue is resolved by upgrading to StreamPipes 0.92.0.

Grafana is validating Azure AD accounts based on the email claim. On Azure AD, the profile email field is not unique and can be easily modified. This leads to account takeover and authentication bypass when Azure AD OAuth is configured with a multi-tenant app.

A limited SQL injection risk was identified on the Mnet SSO access control page. This flaw affects Moodle versions 4.2, 4.1 to 4.1.3, 4.0 to 4.0.8, 3.11 to 3.11.14, 3.9 to 3.9.21 and earlier unsupported versions.