ghsa

### Impact This action uses the `github.head_ref` parameter in an insecure way. This vulnerability can be triggered by any user on GitHub on any workflow using the action on pull requests. They just need to create a pull request with a branch name, which can contain the attack payload. (Note that first-time PR requests will not be run - but the attacker can submit a valid PR before submitting an invalid PR). This can be used to execute code on the GitHub runners (potentially use it for crypto-mining, and waste your resources) and to exfiltrate any secrets you use in the CI pipeline. ### Patches > Pass the variable as an environment variable and then use the environment variable instead of substituting it directly. Patched action is available on tag **v4**, tag **v4.4.1**, and any tag beyond. ### Workarounds No workaround is available if impacted, please upgrade the version > ℹ️ **v3** and **v4** are compatibles. ### References [Here](https://securitylab.github.com/research/...

### Impact Due to the underlying implementation of `.ToString()`, it's possible to execute arbitrary JavaScript, or to achieve a denial-of-service, if a binding parameter is a crafted Object. Users of `sqlite3` v5.0.0 - v5.1.4 are affected by this. ### Patches Fixed in v5.1.5. All users are recommended to upgrade to v5.1.5 or later. ### Workarounds * Ensure there is sufficient sanitization in the parent application to protect against invalid values being supplied to binding parameters. ### References * Commit: https://github.com/TryGhost/node-sqlite3/commit/edb1934dd222ae55632e120d8f64552d5191c781 ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected]) Credits: Dave McDaniel of Cisco Talos

Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0 due to unescaped output.

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

Users with the Company admin role (introduced by the company account feature in v4) can assign any role to any user. This also applies to any other user that has the role / assign policy. Any subtree limitation in place does not have any effect. The role / assign policy is typically only given to administrators, which limits the scope in most cases, but please verify who has this policy in your installaton. The fix ensures that subtree limitations are working as intended.

## Impact In file upload it is possible by certain means to upload files like .html and .js. These may contain XSS exploits which will be run when links to them are accessed by victims. Patches ## Patches The fix consists simply of adding common types of scriptable file types to the configuration of the already existing filetype blacklist feature. See "Patched versions". As such, this can also be done manually, without installing the patched versions. This may be relevant if you are currently running a considerably older version of the kernel package and don't want to upgrade it at this time. Please see the settting "ezsettings.default.io.file_storage.file_type_blacklist" at: https://github.com/ezsystems/ezplatform-kernel/blob/master/eZ/Bundle/EzPublishCoreBundle/Resources/config/default_settings.yml#L109 Important note ## Important note You should adapt this setting to your needs. Do not add file types to the blacklist that you actually need to be able to upload. For instance, if...

Ibexa DXP is using random execution time to hinder timing attacks against user accounts, a method of discovering whether a given account exists in a system without knowing its password, thus affecting privacy. This implementation was found to not be good enough in some situations. The fix replaces this with constant time functionality, configured in the new security.yml parameter 'ibexa.security.authentication.constant_auth_time'. It will log a warning if the constant time is exceeded. If this happens the setting should be increased.

This Security Advisory is about a vulnerability in eZ Platform v1.13, v2.5, and v3.2, and in Ibexa DXP and Ibexa Open Source v3.3. The /user/sessions endpoint can let an attacker detect if a given username or email refers to a valid account. This can be detected through differences in the response data or response time of certain requests. The fix ensures neither attack is possible. The fix is distributed via Composer.

Access control based on object state is mishandled. This is a policy you can use in your roles to limit access to content based on specific object state values. Due to a flawed earlier update, these limitations were ineffective in releases made since February 16th 2022. They would grant access to the given content regardless of the object state. Depending on how your frontent is designed, knowing the URL to the content may or may not be required to access it. If you are using object state limitations in your roles, this issue is critical. Please apply the fix as soon as possible.

### Summary Fuzz testing, by Ada Logics and sponsored by the CNCF, identified a [vulnerability](https://github.com/crossplane/crossplane-runtime/security/advisories/GHSA-vfvj-3m3g-m532) in the `fieldpath` package from `crossplane/crossplane-runtime` that an already highly privileged Crossplane user able to create or update Compositions could leverage to cause an out of memory panic in Crossplane. ### Details Compositions allow users to specify patches inserting elements into arrays at an arbitrary index. When a Composition is selected for a Composite Resource, patches are evaluated and if a specified index is greater than the current size of the target slice, that slice's size will be increased to the specified index, which could lead to an excessive amount of memory usage and therefore the Pod being OOM-Killed. The index is already capped to the maximum value for a uint32 (4294967295) when parsed, but that is still an unnecessarily large value. ### Workaround Users can restrict w...