Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-8ccw-f83g-v7g3: Wallabag Improper Authorization vulnerability

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

ghsa
#vulnerability#git#auth
GHSA-j3rg-3rgm-537h: Directus vulnerable to Server-Side Request Forgery On File Import

### Summary Directus versions <=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls that were implemented to patch vulnerability [CVE-2022-23080](https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2934713) by performing a [DNS rebinding attack](https://en.wikipedia.org/wiki/DNS_rebinding) and view sensitive data from internal servers or perform a local port scan (eg. can access internal metadata API for AWS at `http://169.254.169.254` event if `169.254.169.254` is in the deny IP list). ### Details DNS rebinding attacks work by running a DNS name server that resolves two different IP addresses when a domain is resolved simultaneously. This type of attack can be exploited to bypass the IP address deny list validation that was added to [`/api/src/services/file.ts`](https://github.com/directus/directus/blob/main/api/src/services/files.ts) for the function `importOne` t...

GHSA-wxwq-525w-hcqx: Yapscan Denial of Service vulnerability in report server

### Impact If you use the report server, it may be vulnerable to a Denial of Service attack. ### Patches Has been patched in v0.19.2. ### References The vulnerability was inherited by the following upstream vulnerabilites - [golang.org/x/text < v0.3.7](https://github.com/advisories/GHSA-ppp9-7jff-5vj2) - [golang.org/x/net < 0.0.0-20220906165146-f3363e06e74c](https://github.com/advisories/GHSA-69cg-p879-7622)

GHSA-859x-p6jp-rc2w: xwiki contains Incorrect Authorization

### Impact It's possible to execute a script with the right of another user (provided the target user does not have programming right). For example, the following: ``` {{context document="xwiki:XWiki.userwithscriptright" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}} ``` written by a user not having script right (for example in the user's profile) should produce an error (the user is not allowed to write scripts). However, because of the vulnerability, if the author of the document "xwiki:XWiki.userwithscriptright" has script right (but not programming right) the script will be executed with as if it was written by the target user. ### Patches The problem has been patched in XWiki 14.8RC1, 14.4.5 and 13.10.10. ### Workarounds There's no workaround for this issue. ### References https://jira.xwiki.org/browse/XWIKI-19856 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](htt...

GHSA-32fq-m2q5-h83g: XWiki-Platform vulnerable to stored Cross-site Scripting via the HTML displayer in Live Data

### Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: ``` {{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} ``` ### Patches This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20143 ### For more information If you have any questions or comments about this advisory:...

GHSA-52vf-hvv3-98h7: xwiki vulnerable to Improper Handling of Exceptional Conditions

### Impact Users with write rights can insert well-formed content that is not handled well by the parser. For instance, with `xwiki/2.1`, inserting a deeply nested group blocks (`((( ((( ((( ((( .... ))) ))) ))) )))` (see the generator below to produce a large payload) can lead to the parser throwing a `StackOverflowError`. As a consequence, some pages becomes unusable, including: - the user index (if the page containing the faulty content is a user page) - the page index Note that on the page, the normal UI is completely missing and it is not possible to open the editor directly to revert the change as the stack overflow is already triggered while getting the title of the document. This means that it is quite difficult to remove this content once inserted. ### Patches This has been patched on XWiki 13.10.10, 14.4.6, and 14.9-rc-1. ### Workarounds A temporary solution to avoid Stack Overflow errors is to increase the memory allocated to the stack by using the `-Xss` JVM parameter (e...

GHSA-8692-g6g9-gm5p: xwiki contains Exposed Dangerous Method or Function

### Impact `org.xwiki.store.script.TemporaryAttachmentsScriptService#uploadTemporaryAttachment` is returning an instance of `com.xpn.xwiki.doc.XWikiAttachment`. This class is not supported to be exposed to users without the `programing` right. `com.xpn.xwiki.api.Attachment` should be used instead and takes case of checking the user's rights before performing dangerous operations. ### Patches This has been patched in the version 14.9-rc-1 and 14.4.6. ### Workarounds There's no workaround for this issue. ### References https://jira.xwiki.org/browse/XWIKI-20180 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](https://jira.xwiki.org/) * Email us at [security ML](mailto:[email protected])

GHSA-x2qm-r4wx-8gpg: org.xwiki.platform:xwiki-platform-flamingo-theme-ui Eval Injection vulnerability

### Impact It's possible to inject arbitrary wiki syntax including Groovy, Python and Velocity script macros via the `newThemeName` request parameter (URL parameter), in combination with additional parameters `form_token=1&action=create`. For instance: [http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?newThemeName=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create](http://127.0.0.1:8080/xwiki/bin/view/FlamingoThemesCode/WebHomeSheet?**newThemeName**=foo%22%2F%7D%7D%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22hello%20from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D&form_token=1&action=create) will execute the following groovy code: `println("hello from groovy!")` on the server. ### Patches This has be...

GHSA-92wp-r7hm-42g7: XWiki Platform subject to Uncontrolled Resource Consumption

### Impact It's possible to make the farm unusable by adding an object to a page with a huge number (e.g. 67108863). This will most of the time fill the memory allocated to XWiki and make it unusable every time this document is manipulated. ### Patches It has been patched in XWiki 14.0 ### Workarounds There is no workaround. ### References https://jira.xwiki.org/browse/XWIKI-19223 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki](https://jira.xwiki.org) * Email us at [our security mailing list](mailto:[email protected])

GHSA-9cqm-5wf7-wcj7: XWiki Platform users may execute anything with superadmin right through comments and async macro

### Impact Comments are supposed to be executed with the right of superadmin but in restricted mode (anything dangerous is disabled) but the async macro is not taking into account the restricted mode. This means that any user with comment right can use the async macro to make it execute any wiki content with the right of superadmin as in: {{async}} {{groovy}}println "it works !"{{/groovy}} {{/async}} ### Patches This has been patched in XWiki 14.9, 14.4.6, and 13.10.10. ### Workarounds The only known workaround consists in applying [the following patch](https://github.com/xwiki/xwiki-platform/commit/00532d9f1404287cf3ec3a05056640d809516006) and rebuilding and redeploying `org.xwiki.platform:xwiki-platform-rendering-async-macro`. ### References * https://jira.xwiki.org/browse/XWIKI-20234 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira](http://jira.xwiki.org) * Email us at [Security ML](mailto:[email protected])