Source
ghsa
In Gitea through 1.17.1, repo cloning can occur in the migration function.
PHP Remote File Inclusion in GitHub repository cockpit-hq/cockpit prior to 2.6.3. Users may upload php files through the system file upload utility to obtain remote code execution.
Cross-site Scripting (XSS) - Stored in GitHub repository cockpit-hq/cockpit prior to 2.6.3. For any role that has permission to execute function assets, an attacker can upload a html file and that leads to XSS.
Insufficient Session Expiration in GitHub repository admidio/admidio prior to 4.2.11. This vulnerability allows a user's session to remain valid even after the user has logged out, potentially granting unauthorized access to sensitive areas and functionalities.
Execution with Unnecessary Privileges, : Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Software Foundation Apache Airflow.The "Run Task" feature enables authenticated user to bypass some of the restrictions put in place. It allows to execute code in the webserver context as well as allows to bypas limitation of access the user has to certain DAGs. The "Run Task" feature is considered dangerous and it has been removed entirely in Airflow 2.6.0. This issue affects Apache Airflow: before 2.6.0.
An issue in Harrison Chase langchain allows an attacker to execute arbitrary code via the PALChain,from_math_prompt(llm).run in the python exec method.
OpenRefine <= v3.5.2 contains a Server-Side Request Forgery (SSRF) vulnerability, which permits unauthorized users to exploit the system, potentially leading to unauthorized access to internal resources and sensitive file disclosure.
## Overview We have identified and addressed a security issue in the Nuclei project that affected users utilizing Nuclei as **Go code (SDK)** running **custom templates**. This issue did not affect CLI users. The problem was related to sanitization issues with payloads loading in `sandbox` mode. ## Details In the previous versions, there was a potential risk with payloads loading in sandbox mode. The issue occurred due to relative paths not being converted to absolute paths before doing the check for `sandbox` flag allowing arbitrary files to be read on the filesystem in certain cases when using Nuclei from `Go` SDK implementation. This issue has been fixed in the latest release, v2.9.9. We have also enabled sandbox by default for filesystem loading. This can be optionally disabled if required. The `-sandbox` option has been **deprecated** and is now divided into two new options: `-lfa` (allow local file access) which is enabled by default and `-lna` (restrict local network acces...
### Impact It is possible to craft a command with newlines which would not be properly parsed. This would mean you could pass a string of commands as a channel name, which would then be run by the IRC bridge bot. ### Patches Versions 1.0.1 and above are patched. ### Workarounds There are no robust workarounds to the bug. You can disable dynamic channels in the config to disable the most common execution method but others may exist. It is highly recommended to upgrade the bridge. ### Credits Discovered and reported by [Val Lorentz](https://valentin-lorentz.fr/). ### For more information If you have any questions or comments about this advisory email us at [[email protected]](mailto:[email protected]).
### Impact A malicious Matrix server can use a foreign user's MXID in an OpenID exchange, allowing a bad actor to impersonate users when using the provisioning API. ### Details The library does not check that the servername part of the `sub` parameter (containing the user's *claimed* MXID) is the same as the servername we are talking to. A malicious actor could spin up a server on any given domain, respond with a `sub` parameter according to the user they want to act as and use the resulting token to perform provisioning requests. ### Workarounds Disable the provisioning API. If the bridge does not use the provisioning API, you are not vulnerable.