ghsa

Jenkins Folders Plugin displays an error message when attempting to access the Scan Organization Folder Log if no logs are available. In Folders Plugin 6.846.v23698686f0f6 and earlier, this error message includes the absolute path of a log file, exposing information about the Jenkins controller file system. Folders Plugin 6.848.ve3b_fd7839a_81 does not display the absolute path of a log file in the error message.

Jenkins Folders Plugin 6.846.v23698686f0f6 and earlier does not require POST requests for an HTTP endpoint, resulting in a cross-site request forgery (CSRF) vulnerability. This vulnerability allows attackers to copy a view inside a folder. Folders Plugin 6.848.ve3b_fd7839a_81 requires POST requests for the affected HTTP endpoint.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v7v8-gjv7-ffmr. This link is maintained to preserve external references. ## Original Description Versions of the package @excalidraw/excalidraw from 0.0.0 are vulnerable to Cross-site Scripting (XSS) via embedded links in whiteboard objects due to improper input sanitization.

### Impact A vulnerability in Ghost allows authenticated users to upload files which are symlinks. This can be exploited to perform an arbitrary file read of any file on the operating system. Site administrators can check for exploitation of this issue by looking for unknown symlinks within Ghost's `content/` folder ### Vulnerable versions This security vulnerability is present in Ghost ≤ v5.59.0. ### Patches v5.59.1 contains a fix for this issue. ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

### Impact The Yak Engine has been found to contain a local file inclusion (LFI) vulnerability. This vulnerability allows attackers to include files from the server's local file system through the web application. When exploited, this can lead to the unintended exposure of sensitive data, potential remote code execution, or other security breaches. Users utilizing versions of the Yak Engine prior to 1.2.4-sp1 are impacted. ### Patches The vulnerability has been addressed and patched. Users are advised to upgrade to Yak Engine version 1.2.4-sp1 immediately. The patch can be viewed and reviewed at this PR: [https://github.com/yaklang/yaklang/pull/295](https://github.com/yaklang/yaklang/pull/295)，[https://github.com/yaklang/yaklang/pull/296](https://github.com/yaklang/yaklang/pull/296) ### Workarounds Currently, the most effective solution is to upgrade to the patched version of Yak Engine (1.2.4-sp1). Users are also advised to avoid exposing vulnerable versions to untrusted input an...

### Summary In the `/license/` endpoint, the detailed view key is not properly validated and sanitized, which can result in a potential cross-site scripting (XSS) vulnerability when attempting to access a detailed license view that does not exist. ### Details In the `/license/` endpoint, the `license_details_view` function is vulnerable to a potential cross-site scripting (XSS) attack due to inadequate validation and sanitization of the `key` parameter. This vulnerability arises when attempting to access a key with malicious javascript. ```python def license_details_view(request, key): """ Display all available information about a given license `key` followed by the full license text. """ licenses = get_licenses() try: data = saneyaml.dump(licenses[key].to_dict()) text = licenses[key].text except KeyError: return HttpResponseNotFound(f"License {key} not found.") # Leads to cross-site scripting when key is malicious javascript re...

### Summary When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a `session` strategy is not defined. ### Impact This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, you are unaffected if `ui.isAccessAllowed` is defined). This vulnerability does affect developers who thought that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. ### Patches This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. ### Workarounds You can opt to write your own `isAccessAllowed` to work-around this vulnerability. ### References ...

An issue in Harrison Chase langchain before version 0.0.236 and before allows a remote attacker to execute arbitrary code via the `from_math_prompt` and `from_colored_object_prompt` functions.

An issue in LangChain v.0.0.231 allows a remote attacker to execute arbitrary code via the prompt parameter.

An issue in Alluxio v.2.9.3 and before allows an attacker to execute arbitrary code via a crafted script to the username parameter of lluxio.util.CommonUtils.getUnixGroups(java.lang.String).