ghsa

SQL Injection in GitHub repository owncast/owncast prior to 0.0.13.

The package com.github.samtools:htsjdk before 3.0.1 are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the createTempDir() function in util/IOUtil.java not checking for the existence of the temporary directory before attempting to create it.

This affects all versions of package static-dev-server. This is because when paths from users to the root directory are joined, the assets for the path accessed are relative to that of the root directory. There is currently no known workaround or fix for this issue.

On November 17, 2022, an email was received from Bitly advising that the new link quota per free token is lowered to 50 per month (from its previous value of 1000 per month). As per the email, this change is effective on December 8, 2022. The new quota is so low as to not be useful. For this reason, the maintenance of this package is being discontinued, although the package should continue to function with the limited new quota.

There is a cross-site scripting vulnerability on the management system of baserCMS. This is a vulnerability that needs to be addressed when the management system is used by an unspecified number of users. If you are eligible, please update to the new version as soon as possible. ### Target baserCMS 4.7.1 and earlier versions ### Vulnerability Execution of malicious JavaScript code may alter the display of the page or leak cookie information. - In Favorite registration (CVE-2022-39325) - In Permission Settings (CVE-2022-41994) - In User group management (CVE-2022-42486) ### Countermeasures Update to the latest version of baserCMS ### Credits - Shogo Iyota@Mitsui Bussan Secure Directions, Inc. - YUYA KOTAKE@CARTA HOLDINGS, INC.

### Impact On Unix-like operating systems (not Windows or macos), MPXJ's use of `File.createTempFile(..)` results in temporary files being created with the permissions `-rw-r--r--`. This means that any other user on the system can read the contents of this file. When MPXJ is reading a type of schedule file which requires the creation of a temporary file or directory, a knowledgeable local user could locate these transient files while they are in use and would then be able to read the schedule being processed by MPXJ. ### Patches The problem has been patched, MPXJ version 10.14.1 and later includes the necessary changes. ### Workarounds Setting `java.io.tmpdir` to a directory to which only the user running the application has access will prevent other users from accessing these temporary files. ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/joniles/mpxj

code injection in `Wrapper::buildClientWrapperCode` via manipulation of the `$client` argument. It was possible to force the client to access local files or connect to undesired urls instead of the intended target server's url.

### Impact On sites where members is enabled (this is the default) it is possible for members (unprivileged users) to make changes to newsletter settings. This gives unprivileged users the ability to view and change settings they were not intended to have access to. They are not able to escalate their privileges permanently or get access to further information. This issue was caused by a gap in our API validation for nested objects. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version between v4.46.0 and v4.48.7 or any version of v5 prior to v5.22.7. Immediate action should be taken to secure your site - see patches & workarounds below. ### Patches - v4.48.8 / v5.22.7 are patched for all known exploits - v4.48.9 / v5.24.1 contain deeper fixes to the API to close the potential for this vulnerability to appear elsewhere or regress ### Workarounds...

FusionAuth before 1.41.3 allows a file outside of the application root to be viewed or retrieved using an HTTP request. To be specific, an attacker may be able to view or retrieve any file readable by the user running the FusionAuth process.

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.