ghsa

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-pgvh-p3g4-86jw. This link is maintained to preserve external references. ## Original Description Impact: An attacker could execute remote code on a system running wwbn/avideo Step to Reproduce: 1. Go to the `My Videos` tab https://demo.avideo.com/mvideos 2. Click "Embed a video link" Append a command to the url as a query string. eg. `?whoami` then click Save This issue has been resolved in commit `236228f15`

CraftCMS prior to version 3.7.68 is vulnerable Cross Site Scripting (XSS). An attacker can inject javascript code into Volume Name.

There is insufficient checking of user queries in Apache Jena versions 4.7.0 and earlier, when invoking custom scripts. It allows a remote user to execute arbitrary javascript via a SPARQL query.

### Summary Kitchen-Terraform v7.0.0 introduced a regression which caused all Terraform output values, including sensitive values, to be printed at the `info` logging level during the `kitchen converge` action. Prior to v7.0.0, the output values were printed at the `debug` level to avoid writing sensitive values to the terminal by default. ### Original Report @brettcurtis: > Hopefully, I'm not doing something stupid here, but I'm seeing sensitive outputs printed in the kitchen output. You can check this action for an example: https://github.com/osinfra-io/terraform-google-project/actions/runs/4700065515/jobs/8334277309#step:5:215 > > It's not really a sensitive value just used it as an example.

### Impact Kiwi TCMS allows users to upload attachments to test plans, test cases, etc. In earlier versions there is no control over what kinds of files can be uploaded. Thus a malicious actor may upload an `.exe` file or a file containing embedded JavaScript and trick others into clicking on these files causing vulnerable browsers to execute malicious code on another computer or attempting XSS attacks. Stored XSS attacks via file uploads have been fixed in earlier versions of Kiwi TCMS, see [GHSA-2wcr-87wf-cf9j](https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-2wcr-87wf-cf9j). This advisory deals with prohibiting users to upload potentially compromised files in the first place. ### Patches Kiwi TCMS v12.2 comes with functionality that allows administrators to configure additional upload validator functions which give them more control over what file types are accepted for upload. By default `.exe` are denied. Other files containing the `<script>` tag, regardless of their t...

### Impact Affected versions of Laminas Diactoros accepted a single line feed (LF / `\n` ) character at the end of a header name. When serializing such a header name containing a line-feed into the on-the-wire representation of a HTTP/1.x message, the resulting message would be syntactically invalid, due to the header line being terminated too early. An attacker that is able to control the header names that are passed to Laminas Diactoros would be able to intentionally craft invalid messages, possibly causing application errors or invalid HTTP requests being sent out with an PSR-18 HTTP client. The latter might present a denial of service vector if a remote service’s web application firewall bans the application due to the receipt of malformed requests. ### Patches The problem has been patched in the following versions: - 2.18.1 - 2.19.1 - 2.20.1 - 2.21.1 - 2.22.1 - 2.23.1 - 2.24.2 - 2.25.2 ### Workarounds Validate HTTP header keys and/or values, and if using user-supplied values...

### Impact Frederic Linn (@FredericLinn) has reported a series of vulnerabilities that can result in directory traversal, file write, and potential remote code execution on Jellyfin instances. The general process involves chaining several exploits including a stored XSS vulnerability and can be used by an unprivileged user. The general process is (using the example of setting an intro video as the payload): * Create a session as a low-priviledged user with a crafted authorization header * Upload an executable that contains a malicious plugin inline via /ClientLog/Document * (Admin hovers over our device in dashboard -> XSS payload gets triggered) * XSS Payload tries to set encoder path to our uploaded "log" file via /System/MediaEncoder/Path * The request fails, but in the process our executable actually runs (I guess for verifying if the path points to a valid ffmpeg version) * The executable will create a plugin folder and place the inlined plugin DLL inside it * The XSS payload sh...

### Impact A failure in the update logic of Rancher's admission Webhook may lead to the misconfiguration of the Webhook. This component enforces validation rules and security checks before resources are admitted into the Kubernetes cluster. When the Webhook is operating in a degraded state, it no longer validates any resources, which may result in severe privilege escalations and data corruption. The issue only affects users that upgrade from `2.6.x` or `2.7.x` to `2.7.2`. Users that did a fresh install of 2.7.2 (and did not follow an upgrade path) are not affected. The command below can be executed on the `local` cluster to determine whether the cluster is affected by this issue: ```sh $ kubectl get validatingwebhookconfigurations.admissionregistration.k8s.io rancher.cattle.io NAME WEBHOOKS AGE rancher.cattle.io 0 19h ``` If the resulting webhook quantity is `0`, the Rancher instance is affected. ### Patches Patched versions include release `2.7.3` ...

### Background During the audit of [Lido's Gate Seals](https://github.com/lidofinance/gate-seals) code [statemind](https://statemind.io) team identified a weird behavior of the code that uses `raw_call`: https://github.com/lidofinance/gate-seals/blob/051593e74df01a4131c485b4fda52e691cd4b7d8/contracts/GateSeal.vy#L164 . Construction like this: ```vyper success = raw_call( sealable, _abi_encode(SEAL_DURATION_SECONDS, method_id=method_id("pauseFor(uint256)")), revert_on_failure=False ) ``` was not fully documented: https://docs.vyperlang.org/en/v0.3.7/built-in-functions.html#raw_call . The documentation says that: if `max_outsize=0` it should return nothing and then it says that if `revert_on_failure=False` it should return a `success` flag in the tuple of response, but what if `max_outsize=0` and `revert_on_failure=False`. <img width="715" alt="image" src="https://user-images.githubusercontent.com/22330612/232125364-d2b3bbac-0b4f-40cb-80ff-f55d8eafef44.png"> So the team...

## Summary The `embano1/wip` action uses the `github.event.pull_request.title` parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string interpolation. ## Details and Impact This vulnerability can be triggered by any user on GitHub. They just need to create a pull request with a commit message containing an exploit. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). The commit can be genuine, but the commit message can be malicious. This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and can be used to exfiltrate any secrets that you use in the CI pipeline (including repository tokens). [Here](https://securitylab.github.com/research/github-actions-untrusted-input/) is a set of blog posts by Github's security team explaining this issue. ## How to update existing...