ghsa

Use of Platform-Dependent Third Party Components in GitHub repository cockpit-hq/cockpit 2.3.9 and prior. A patch is available and anticipated to be part of version 2.4.0.

Vega is vulnerable to arbitrary code execution when clicking href links. Versions 5.4.1 and 4.5.1 contain a patch.

Keycloak's OpenID Connect user authentication was found to incorrectly authenticate requests. An authenticated attacker who could also obtain a certain piece of info from a user request, from a victim within the same realm, could use that data to impersonate the victim and generate new session tokens.

There is an Open Redirect vulnerability in the Node.js adapter when forwarding requests to Keycloak using `checkSSO` with query param `prompt=none`.

### Impact SAML Service Providers using this library for SAML authentication support are likely susceptible to Denial of Service attacks. A bug in this library enables attackers to craft a `deflate`-compressed request which will consume significantly more memory during processing than the size of the original request. This may eventually lead to memory exhaustion and the process being killed. ### Mitigation The maximum compression ratio achievable with `deflate` is 1032:1, so by limiting the size of bodies passed to gosaml2, limiting the rate and concurrency of calls, and ensuring that lots of memory is available to the process it _may_ be possible to help Go's garbage collector "keep up". Implementors are encouraged not to rely on this. ### Patches This issue is addressed in v0.9.0

### Summary The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. ### Details The [scale](https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/functions/scale.js#L36-L37) expression function passes a user supplied argument `group` to [getScale](https://github.dev/vega/vega/blob/72b9b3bbf912212e7879b6acaccc84aff969ef1c/packages/vega-functions/src/scales.js#L6), which is then used as if it were an internal context. The `context.scales[name].value` is accessed from `group` and called as a function back in `scale`. ### PoC The following Vega definition can be used to demonstrate this issue executing the JavaScript code `alert(1);` ```json { "$schema": "https://vega.github.io/schema/vega/v5.json", "data": [ { "name": "XSS PoC", "values": [1], "transfor...

### Summary We (https://github.com/elastic/kibana) got a HackerOne report about XSS in Kibana via Vega's `lassoAppend` function (undisclosed, author asked us to report it on his behalf): `lassoAppend` accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The originally reported PoC below is based on `event.view.setImmediate` which is available in Kibana (via Core-JS polyfill, not sure how popular this shim these days), but it's not browser's built-in API, and hence not immediately exploitable via Vega alone. I couldn't quickly fi...

### Impact Some internal Python exceptions are not handled properly and thus are returned in API as error messages. Some messages might contain sensitive information like infrastructure details in unauthenticated requests. Affected versions: Saleor ≥ 2.0.0 ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Open a discussion at https://github.com/saleor/saleor/discussions * Email us at [[email protected]](mailto:[email protected])

### Impact The annotation displayer does not execute the content in a restricted context. This allows executing anything with the right of the author of any document by annotating the document. To reproduce: add an annotation with the content `{{groovy}}print "hello"{{/groovy}}` and click the yellow scare to get a display of the annotation inline. The result is "hello" but it should be an error suggesting that it's not allowed to use the groovy macro. ### Patches This has been patched in XWiki 13.10.11, 14.4.7 and 14.10. ### Workarounds There is no easy workaround except to upgrade. ### References https://jira.xwiki.org/browse/XWIKI-20360 https://jira.xwiki.org/browse/XWIKI-20384 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected]) ### Attribution This vulnerability has been reported by René de Sain @renniepak.

### Impact The attacker can execute arbitrary JavaScript and steal Cookies information and use them to hijack the user's session. ### Patches Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/pull/14467.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14467.patch manually. ### References https://huntr.dev/bounties/3245ff99-9adf-4db9-af94-f995747e09d1/