ghsa

Versions of the package @nestjs/core before 9.0.5 are vulnerable to Information Exposure via the StreamableFile pipe. Exploiting this vulnerability is possible when the client cancels a request while it is streaming a StreamableFile, the stream wrapped by the StreamableFile will be kept open.

All versions of the package sketchsvg are vulnerable to Arbitrary Code Injection when invoking `shell.exec` without sanitization nor parametrization while concatenating the current directory as part of the command string.

node-static and the fork @nubosoftware/node-static are vulnerable to Directory Traversal due to improper file path sanitization in the startsWith() method in the servePath function.

All versions of the package dot-lens are vulnerable to Prototype Pollution via the `set()` function in `index.js` file.

A vulnerability, which was classified as critical, has been found in json-logic-js 2.0.0. Affected by this issue is some unknown functionality of the file logic.js. The manipulation leads to command injection. Upgrading to version 2.0.1 is able to address this issue. The name of the patch is c1dd82f5b15d8a553bb7a0cfa841ab8a11a9c227. It is recommended to upgrade the affected component. VDB-222266 is the identifier assigned to this vulnerability.

Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.4.

### Summary Directus versions <=9.22.4 is vulnerable to Server-Side Request Forgery (SSRF) when importing a file from a remote web server (POST to `/files/import`). An attacker can bypass the security controls that were implemented to patch vulnerability [CVE-2022-23080](https://security.snyk.io/vuln/SNYK-JS-DIRECTUS-2934713) by performing a [DNS rebinding attack](https://en.wikipedia.org/wiki/DNS_rebinding) and view sensitive data from internal servers or perform a local port scan (eg. can access internal metadata API for AWS at `http://169.254.169.254` event if `169.254.169.254` is in the deny IP list). ### Details DNS rebinding attacks work by running a DNS name server that resolves two different IP addresses when a domain is resolved simultaneously. This type of attack can be exploited to bypass the IP address deny list validation that was added to [`/api/src/services/file.ts`](https://github.com/directus/directus/blob/main/api/src/services/files.ts) for the function `importOne` t...

### Impact If you use the report server, it may be vulnerable to a Denial of Service attack. ### Patches Has been patched in v0.19.2. ### References The vulnerability was inherited by the following upstream vulnerabilites - [golang.org/x/text < v0.3.7](https://github.com/advisories/GHSA-ppp9-7jff-5vj2) - [golang.org/x/net < 0.0.0-20220906165146-f3363e06e74c](https://github.com/advisories/GHSA-69cg-p879-7622)

### Impact It's possible to execute a script with the right of another user (provided the target user does not have programming right). For example, the following: ``` {{context document="xwiki:XWiki.userwithscriptright" transformationContext="document"}}{{velocity}}Hello from Velocity!{{/velocity}}{{/context}} ``` written by a user not having script right (for example in the user's profile) should produce an error (the user is not allowed to write scripts). However, because of the vulnerability, if the author of the document "xwiki:XWiki.userwithscriptright" has script right (but not programming right) the script will be executed with as if it was written by the target user. ### Patches The problem has been patched in XWiki 14.8RC1, 14.4.5 and 13.10.10. ### Workarounds There's no workaround for this issue. ### References https://jira.xwiki.org/browse/XWIKI-19856 ### For more information If you have any questions or comments about this advisory: * Open an issue in [JIRA](htt...

### Impact A user without script rights can introduce a stored XSS by using the Live Data macro. For instance: ``` {{liveData id="movies" properties="title,description"}} { "data": { "count": 1, "entries": [ { "title": "Meet John Doe", "url": "https://www.imdb.com/title/tt0033891/", "description": "<img onerror='alert(1)' src='foo' />" } ] }, "meta": { "propertyDescriptors": [ { "id": "title", "name": "Title", "visible": true, "displayer": {"id": "link", "propertyHref": "url"} }, { "id": "description", "name": "Description", "visible": true, "displayer": "html" } ] } } {{/liveData}} ``` ### Patches This has been patched in XWiki 14.9, 14.4.7, and 13.10.10. ### Workarounds No known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20143 ### For more information If you have any questions or comments about this advisory:...