ghsa

### Impact We are incorporating the password policies listed in https://github.com/vantage6/vantage6/issues/59. One measure is that we don't let the user know in case of wrong username/password combination if the username actually exists, to prevent that bots can guess usernames. However, if a wrong password is entered a number of times, the user account is blocked temporarily. This way you could still find out which usernames exist. ### Patches Update to 3.8.0+ ### Workarounds No ### References https://github.com/vantage6/vantage6/issues/59 ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

Affected versions of this crate were using a debug assertion to validate the `last` parameter of `partial_sort()`. This would allow invalid inputs to cause an out-of-bounds read instead of immediately panicking, when compiled without debug assertions. All writes are bounds-checked, so the out-of-bounds memory access is read-only. This also means that the first attempted out-of-bounds write will panic, limiting the possible reads. The accessible region is further limited by an initial bounds-checked read at `(last / 2) - 1`, i.e., it is proportional to the size of the vector. This bug has been fixed in v0.2.0.

Affected version of this crate had implementation of `From<&mut AsciiStr>` for `&mut [u8]` and `&mut str`. This can result in out-of-bounds array indexing in safe code. The flaw was corrected in commit [8a6c779](https://github.com/tomprogrammer/rust-ascii/pull/63/commits/8a6c7798c202766bd57d70fb8d12739dd68fb9dc) by removing those impls.

### Impact The malicious user is able to update a crafted `config` file into repository's `.git` directory in combination with crafted file deletion to gain SSH access to the server on case-insensitive file systems. All installations with [repository upload enabled (default)](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129) on case-insensitive file systems (Windows, macOS, etc.) are affected. ### Patches Make sanitization of upload path to `.git` directory to be case-insensitive. Users should upgrade to 0.12.11 or the latest 0.13.0+dev. ### Workarounds Disable [repository upload](https://github.com/gogs/gogs/blob/f36eeedbf89328ee70cc3a2e239f6314f9021f58/conf/app.ini#L127-L129). ### References https://huntr.dev/bounties/18cf9256-23ab-4098-a769-85f8da130f97/ ### For more information If you have any questions or comments about this advisory, please post on https://github.com/gogs/gogs/issues/7030.

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber 1.3.2 and prior. A patch is available and anticipated to be part of version 1.3.3.

External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22.

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore 10.5.17 and prior. A patch is available and anticipated to be part of 10.5.18.

Versions of the package deno before 1.31.0 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the upgradeWebSocket function, which contains regexes in the form of /s*,s*/, used for splitting the Connection/Upgrade header. A specially crafted Connection/Upgrade header can be used to significantly slow down a web socket server. This issue has been patched in version 1.31.0.

All versions of the package lite-web-server are vulnerable to Denial of Service (DoS) when an attacker sends an HTTP request and includes control characters that the decodeURI() function is unable to parse.

Froxlor prior to version 2.0.11 has a Cross-Site Request Forgery vulnerability.