ghsa

### Impact This is a hole in the confinement of guest applications under SES that may manifest as either the ability to exfiltrate information or execute arbitrary code depending on the configuration and implementation of the surrounding host. Guest program running inside a Compartment with as few as no endowments can gain access to the surrounding host’s dynamic import by using dynamic import after the spread operator, like `{...import(arbitraryModuleSpecifier)}`. On the web or in web extensions, a Content-Security-Policy following ordinary best practices likely mitigates both the risk of exfiltration and execution of arbitrary code, at least limiting the modules that the attacker can import to those that are already part of the application. However, without a Content-Security-Policy, dynamic import can be used to issue HTTP requests for either communication through the URL or for the execution of code reachable from that origin. Within an XS worker, an attacker can use the host’s...

## Command Injection in docker fetch process ### Summary A possible command injection in the docker fetch process as it allows to append malicious commands in the docker_reference parameter. ### Details In the function `scanpipe/pipes/fetch.py:fetch_docker_image`[1] the parameter `docker_reference` is user controllable. The `docker_reference` variable is then passed to the vulnerable function `get_docker_image_platform`. ```python def fetch_docker_image(docker_reference, to=None): """ code snipped .... """ platform_args = [] platform = get_docker_image_platform(docker_reference) # User controlled `docker_reference` passed """ code snipped... """ ``` However, the `get_docker_image_plaform` function constructs a shell command with the passed `docker_reference`. The `pipes.run_command` then executes the shell command without any prior sanitization, making the function vulnerable to command injections. ```python def get_docker_image_platform(docker_refer...

### Impact It is possible to delete files from the server via the CustomerMessage API ### Patches 8.1.1 ### Found by Kto94 (via Yeswehack) ### Workarounds none ### References none

### Impact It is possible to delete a file from the server by using the Attachments controller and the Attachments API. ### Patches 8.1.1 ### Found by Kto94 (via Yeswehack) ### Workarounds none ### References none

### Impact `displayAjaxEmailHTML` method can be used to read any file on the server, potentially even outside of the project if the server is not correctly configured ### Patches 8.1.1 ### Found by Aleksey Solovev (Positive Technologies) ### Workarounds ### References

### Impact xss injection through `isCleanHTML` method ### Patches 1.7.8.10 8.0.5 8.1.1 ### Found by Aleksey Solovev (Positive Technologies) ### Workarounds ### References

### Impact Remote code execution through SQL injection and arbitrary file write in back office ### Patches 1.7.8.10 8.0.5 8.1.1 ### Found by Truff (via yeswehack) ### Workarounds none ### References none

### Impact In the back office, files can be compromised using path traversal by replaying the import file deletion query with a specified file path, using traversal path. ### Patches 8.1.1 ### Found by Aleksey Solovev (Positive Technologies) ### Workarounds none ### References none

### Impact SQL injection possible in product search field, in BO's product page ### Patches 8.1.1 ### Found by Aleksey Solovev (Positive Technologies) ### Workarounds none ### References none

### Impact In versions 0.2.15, 0.2.16 and 0.3.0, named re-entrancy locks are allocated incorrectly. Each function using a named re-entrancy lock gets a unique lock regardless of the key, allowing cross-function re-entrancy in contracts compiled with the susceptible versions. A specific set of conditions is required to result in misbehavior of affected contracts, specifically: - A `.vy` contract compiled with either of the following `vyper` versions: `0.2.15`, `0.2.16`, `0.3.0` - A primary function that utilizes the `@nonreentrant` decorator with a specific `key` and does not strictly follow the check-effects-interaction pattern (i.e. contains an external call to an untrusted party before storage updates) - A secondary function that utilizes the same `key` and would be affected by the improper state caused by the primary function ### Patches https://github.com/vyperlang/vyper/pull/2439, https://github.com/vyperlang/vyper/pull/2514 ### Workarounds Upgrade to 0.3.1 or higher ### Refe...