Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-wc6j-5g83-xfm6: mflow vulnerable to directory traversal

A directory traversal vulnerability in the /get-artifact API method of the mlflow platform prior to v2.0.0 allows attackers to read arbitrary files on the server via the path parameter.

ghsa
Open in Source
#vulnerability#git
GHSA-m6m9-gr85-79vm: Pimcore Cross-site Scripting (XSS) in name field of Custom Reports

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.21 or apply this patch manually: https://github.com/pimcore/pimcore/commit/c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/c36ef54ce33f7b5e74b7b0ab9eabfed47c018fc7.patch ### References https://huntr.dev/bounties/1a5e6c65-2c5e-4617-9411-5b47a7e743a6/

GHSA-q7cc-m6jw-m262: Pimcore Cross-site Scripting (XSS) in Predefined Properties delete

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.21 or apply this patches manually https://github.com/pimcore/pimcore/commit/7a799399e6843cd049e85da27ceb75b78505317f.patch ### Workarounds Apply patches manually: https://github.com/pimcore/pimcore/commit/7a799399e6843cd049e85da27ceb75b78505317f.patch ### References https://huntr.dev/bounties/af9c360a-87f8-4e97-a24b-6db675ee942a/

GHSA-r3fg-3r88-6x3f: Ibexa User Settings are accessible on the front-end for anonymous user

### Impact This security advisory is about the user settings, which include things like preferred time zone and number of items per page in item listings. These could be accessed by the anonymous user. This impacted only the anonymous users themselves, and had no impact on logged in users. As such the impact is limited, even if custom user settings have been added, but please consider if this matters for your site. The fix ensures that only logged in users can access their user settings. ### References https://developers.ibexa.co/security-advisories/ibexa-sa-2023-002-user-settings-are-accessible-on-the-front-end-for-the-anonymous-user

GHSA-p58x-7733-vp9m: n8n Directory Traversal vulnerability

The n8n package prior to version 0.216.1 for Node.js allows Directory Traversal.

GHSA-97cp-mr4m-9mcf: n8n Privilege Escalation vulnerability

The n8n package prior to 0.216.1 for Node.js allows Escalation of Privileges.

GHSA-r9xw-p7wj-w792: n8n Information Disclosure vulnerability

The n8n package prior to 0.216.1 for Node.js allows Information Disclosure.

GHSA-6gp6-xj27-g89q: Duplicate Advisory: Cross-site Scripting (XSS) in name field of Custom Reports

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m6m9-gr85-79vm. This link is maintained to preserve external references. ## Original Description Cross-site Scripting (XSS) - DOM in GitHub repository pimcore/pimcore prior to 10.5.21.

GHSA-j93v-cx26-2xc4: Duplicate Advisory: Cross-site Scripting (XSS) in Predefined Properties delete

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-q7cc-m6jw-m262. This link is maintained to preserve external references. ## Original DescriptionCross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.5.21.

GHSA-vcxh-qvgr-9fw9: m.static Directory Traversal vulnerability

All versions of the package m.static are vulnerable to Directory Traversal due to improper input sanitization of the path being requested via the requestFile function.