Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-7mpr-5m44-h73r: markdownify allows large headline prefixes such as <h9999999>, which causes memory consumption

python-markdownify (aka markdownify) before 0.14.1 allows large headline prefixes such as <h9999999> in addition to <h1> through <h6>. This causes memory consumption.

ghsa
Open in Source
#vulnerability#auth
GHSA-75v8-2h7p-7m2m: Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

Formidable (aka node-formidable) 2.1.0 through 3.x before 3.5.3 relies on hexoid to prevent guessing of filenames for untrusted executable content; however, hexoid is documented as not "cryptographically secure." (Also, there is a scenario in which only the last two characters of a hexoid string need to be guessed, but this is not often relevant.) NOTE: this does not imply that, in a typical use case, attackers will be able to exploit any hexoid behavior to upload and execute their own content.

GHSA-34g7-pg9j-pxgp: Moodle allows IDOR when accessing the cohorts report

A flaw was discovered in Moodle. Additional checks were required to ensure that users can only access cohort data they are authorized to retrieve.

GHSA-9vc3-vm42-fjhm: Moodle's mod_data edit/delete pages pass CSRF token in GET parameter

A security vulnerability was found in Moodle where confidential information that prevents cross-site request forgery (CSRF) attacks was shared publicly through the site's URL. This vulnerability occurred specifically on two types of pages within the mod_data module: edit and delete pages.

GHSA-pj96-xh2w-fgqx: Moodle has an IDOR in messaging web service which allows access to some user details

A flaw was found in Moodle. Insufficient capability checks in a messaging web service allowed users to view other users' names and online statuses.

GHSA-hxgg-4qww-85ph: Moodle has reflected Cross-site Scripting risk in policy tool

A flaw was found in Moodle. The return URL in the policy tool required additional sanitizing to prevent a reflected Cross-site scripting (XSS) risk.

GHSA-m8qh-hx4c-h9hr: Moodle has a CSRF risk in Brickfield tool's analysis request action

A flaw was found in Moodle. The analysis request action in the Brickfield tool did not include the necessary token to prevent a Cross-site request forgery (CSRF) risk.

GHSA-6g5x-h5x7-q4mq: Moodle has an IDOR in web service which allows users enrolled in a course to access some details of other users

A flaw was found in Moodle. Insufficient capability checks made it possible for a user enrolled in a course to access some details, such as the full name and profile image URL, of other users they did not have permission to access.

GHSA-c8v6-vxhf-wcrr: Moodle has an authenticated remote code execution risk in the Moodle LMS Dropbox repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS Dropbox repository. By default, this was only available to teachers and managers on sites with the Dropbox repository enabled.

GHSA-m367-445c-2xqr: Moodle has an authenticated remote code execution risk in the Moodle LMS EQUELLA repository

A flaw was found in Moodle. A remote code execution risk was identified in the Moodle LMS EQUELLA repository. By default, this was only available to teachers and managers on sites with the EQUELLA repository enabled.