ghsa

The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests are signed by AWS and are verified by django_ses, however the verification of this signature was found to be flawed as it allowed users to specify arbitrary public certificates.

### Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. Earlier versions of Kiwi TCMS had introduced upload validators in order to prevent potentially dangerous files from being uploaded, see [GHSA-fwcf-753v-fgcj](https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-fwcf-753v-fgcj) and Content-Security-Policy definition to prevent cross-site-scripting attacks, see [GHSA-2wcr-87wf-cf9j](https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j). The upload validation checks were not robust enough which left the possibility of an attacker to circumvent them and upload a potentially dangerous file. Exploting this flaw a combination of files could be uploaded so that they work together to circumvent the existing Content-Security-Policy and allow execution of arbitrary JavaScript in the browser. ### Patches - File upload validation code has been improved - Kiwi TCMS will now force `Content-Type: text/plain` when serving uploaded files ...

Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users' data. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick https://github.com/apache/inlong/pull/7836 to solve it.

In Hazelcast before 5.3.0, configuration routines don't mask passwords in the member configuration properly. This allows Hazelcast Management Center users to view some of the secrets.

iden3 snarkjs through 0.6.11 allows double spending because there is no validation that the publicSignals length is less than the field modulus.

RosarioSIS prior to 11.0 allows anyone, regardless of authentication status, to download and view file attachments under the `salaries` module. In addition, the file names contain a date in a `YYYY-MM-DD` format and a random six-string digit, making enumerating file names with automated tools relatively easy. This could allow an attacker to gain access to sensitive salary information. The patch for version 11.0 adds microseconds to filenames to make them harder to guess.

Froxlor prior to 2.0.16 has a password reset page with no rate limit.

Insecure Temporary File in GitHub repository huggingface/transformers 4.29.2 and prior. A fix is available at commit 80ca92470938bbcc348e2d9cf4734c7c25cb1c43 and anticipated to be part of version 4.30.0.

LavaLite v9.0.0 is vulnerable to Cross Site Scripting (XSS).

mlflow prior to 2.3.0 is vulnerable to path traversal due to a bypass of the fix for CVE-2023-1177.