Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-wm8q-9975-xh5v: Zope vulnerable to Stored Cross Site Scripting with SVG images

### Impact There is a stored cross site scripting vulnerability for SVG images. Note that an image tag with an SVG image as source is never vulnerable, even when the SVG image contains malicious code. To exploit the vulnerability, an attacker would first need to upload an image, and then trick a user into following a specially crafted link. All versions of Zope are impacted on sites that allow untrusted users to upload images. ### Patches Patches will be released in Zope 4.8.10 and 5.8.5. ### Workarounds Make sure the "Add Documents, Images, and Files" permission is only assigned to trusted roles. By default only the Manager has this permission.

ghsa
#xss#vulnerability
GHSA-xrpm-hccg-28x7: Improper Input Validation in nocodb

Improper Input Validation in GitHub repository nocodb/nocodb prior to 0.96.0.

GHSA-7cfq-72w2-24q4: Yii2 allows attackers to execute any local .php file via a relative path in the view parameter

web\ViewAction in Yii (aka Yii2) 2.x before 2.0.5 allows attackers to execute any local .php file via a relative path in the view parameeter.

GHSA-9mcr-873m-xcxp: Tungstenite allows remote attackers to cause a denial of service

The Tungstenite crate through 0.20.0 for Rust allows remote attackers to cause a denial of service (minutes of CPU consumption) via an excessive length of an HTTP header in a client handshake. The length affects both how many times a parse is attempted (e.g., thousands of times) and the average amount of data for each parse attempt (e.g., millions of bytes).

GHSA-725m-w832-q973: Composer allows cache poisoning from other projects built on the same host

Composer before 2016-02-10 allows cache poisoning from other projects built on the same host. This results in attacker-controlled code entering a server-side build process. The issue occurs because of the way that dist packages are cached. The cache key is derived from the package name, the dist type, and certain other data from the package repository (which may simply be a commit hash, and thus can be found by an attacker). Versions through 1.0.0-alpha11 are affected, and 1.0.0 is unaffected.

GHSA-c647-pxm2-c52w: Vyper vulnerable to memory corruption in certain builtins utilizing `msize`

### Impact In certain conditions, the memory used by the builtins `raw_call`, `create_from_blueprint` and `create_copy_of` can be corrupted. - For `raw_call`, the argument buffer of the call can be corrupted, leading to incorrect `calldata` in the sub-context. - For `create_from_blueprint` and `create_copy_of`, the buffer for the to-be-deployed bytecode can be corrupted, leading to deploying incorrect bytecode. Below are the conditions that must be fulfilled for the corruption to happen for each builtin: #### `raw_call` - memory is not fully initialized, ex. all parameters to an external function live in calldata and - The `data` argument of the builtin is `msg.data`. and - The `value` or `gas` passed to the builtin is some complex expression that results in writing to uninitialized memory (e.g. calling an internal function) #### `create_copy_of` - memory is not fully initialized, ex. all parameters to an external function live in calldata and - The `value` or `salt` passed to the...

GHSA-pxg5-h34r-7q8p: GeoNode vulnerable to SSRF Bypass to return internal host data

A SSRF vulnerability exists, bypassing existing controls on the software. This can allow a user to request internal services for a full read SSRF, returning any data from the internal network. the application is using a whitelist, but the whitelist can be bypassed with @ and encoded value of @ (%40) GET /proxy/?url=http://development.demo.geonode.org%40geoserver:8080/geoserver/web This will trick the application that the first host is a whitelisted address, but the browser will use @ or %40 as a credential to the host geoserver on port 8080, this will return the data to that host on the response. ![image](https://user-images.githubusercontent.com/35967437/264379628-8cecbc56-be6c-49dc-abe8-0baf8b8695cc.png)

GHSA-fv2h-753j-9g39: Sustainsys.Saml2 Insufficient Identity Provider Issuer Validation

### Impact When a response is processed, the issuer of the Identity Provider is not sufficiently validated. This could allow a malicious identity provider to craft a Saml2 response that is processed as if issued by another identity provider. It is also possible for a malicious end user to cause stored state intended for one identity provider to be used when processing the response from another provider. An application is impacted if they rely on any of these features in their authentication/authorization logic: * the issuer of the generated identity and claims * items in the stored request state (AuthenticationProperties) ### Patches Patched in version 2.9.2 and 1.0.3. All previous versions are vulnerable. ### Workarounds The `AcsCommandResultCreated` notification can be used to add the validation required if an upgrade to patched packages is not possible. ### References The patch is linked to https://github.com/Sustainsys/Saml2/issues/712 and https://github.com/Sustainsys/Saml2/is...

GHSA-x4hh-vjm7-g2jv: Faktory Web Dashboard can lead to denial of service(DOS) via malicious user input

### Summary Faktory web dashboard can suffer from denial of service by a crafted malicious url query param `days`. ### Details The vulnerability is related to how the backend reads the `days` URL query parameter in the Faktory web dashboard. The value is used directly without any checks to create a string slice. If a very large value is provided, the backend server ends up using a significant amount of memory and causing it to crash. ### PoC To reproduce this vulnerability, please follow these steps: Start the Faktory Docker and limit memory usage to 512 megabytes for better demonstration: ``` $ docker run --rm -it -m 512m \ -p 127.0.0.1:7419:7419 \ -p 127.0.0.1:7420:7420 \ contribsys/faktory:latest ``` Send the following request. The Faktory server will exit after a few seconds due to out of memory: ``` $ curl 'http://localhost:7420/?days=922337' ``` ### Impact **Server Availability**: The vulnerability can crash the Faktory server, affecting its availability. **Denial of...

GHSA-279f-qwgh-h5mp: Jenkins does not exclude sensitive build variables from search

Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc. Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from this search. This allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. Jenkins 2.424, LTS 2.414.2 excludes sensitive variables from this search.