ghsa

Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As of commit `c9aa2eeb9` access tokens which fail validation are rejected.

Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.

Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.

### Impact `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). [DDF file](https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model) is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. ### Patches This is fixed in **v1.5.0** and **2.0.0-M13**. ### Workarounds No easy way. Eventually writing your own `DDFFileParser`/`DefaultDDFFileValidator` (and so `ObjectLoader`) creating a `DocumentBuilderFactory` with : ```java // For DDFFileParser DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATU...

An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.

An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file.

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.

Cross Site Scripting vulnerabiltiy in Badaso v.0.0.1 thru v.2.9.7 allows a remote attacker to execute arbitrary code via a crafted payload to the Name of member parameter in the add new member function.

## Impact ### What kind of vulnerability is it? Apollo Server can log sensitive information (Studio API keys) if they are passed incorrectly (with leading/trailing whitespace) or if they have any characters that are invalid as part of a header value. ### Who is impacted? Users who (all of the below): * use either the schema reporting or usage reporting feature * use an Apollo Studio API key which has invalid header values * use the default fetcher (`node-fetch`) or configured their own `node-fetch` fetcher The following node snippet can test whether your API key has invalid header values. This code is taken directly from `node-fetch@2`'s header value validation code. ```js const invalidHeaderCharRegex = /[^\t\x20-\x7e\x80-\xff]/; if (invalidHeaderCharRegex.test('<YOUR_API_KEY>')) { console.log('potentially affected'); } console.log('unaffected'); ``` If the provided API key is not a valid header value, whenever Apollo Server uses that API key in a request (to Studio, for example),...