Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-5m3m-q8cq-77g4: fuadmin vulnerable to insecure file upload

funadmin v3.3.2 and v3.3.3 are vulnerable to insecure file upload via the plugins install.

ghsa
#git
GHSA-rwcp-qrwg-56cg: Casdoor Cross-Site Request Forgery vulnerability

Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint `/api/set-password`. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.

GHSA-q2fp-jw87-86px: laravel-s vulnerable to Local File Inclusion

laravel-s prior to 3.7.36 is vulnerable to Local File Inclusion via `/src/Illuminate/Laravel.php`.

GHSA-j8xg-fqg3-53r7: word-wrap vulnerable to Regular Expression Denial of Service

All versions of the package word-wrap are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of an insecure regular expression within the result variable.

GHSA-8jxm-xp43-qh3q: Silver vulnerable to MitM attack against implants due to a cryptography vulnerability

### Summary The current cryptography implementation in Sliver up to version 1.5.39 allows a MitM with access to the corresponding implant binary to execute arbitrary codes on implanted devices via intercepted and crafted responses. (Reserved CVE ID: CVE-2023-34758) ### Details Please see [the PoC repo](https://github.com/tangent65536/Slivjacker). ### PoC Please also see [the PoC repo](https://github.com/tangent65536/Slivjacker). To setup a simple PoC environment, 1. Generate an implant with its C2 set to the PoC server's address and copy the embedded private implant key and public server key into the config json. 2. Run the implant on a separate VM and a `notepad.exe` window should pop up on the implanted VM. ### Impact A successful attack grants the attacker permission to execute arbitrary code on the implanted device. ### References https://github.com/BishopFox/sliver/blob/master/implant/sliver/cryptography/implant.go https://github.com/BishopFox/sliver/blob/master/...

GHSA-xcf7-rvmh-g6q4: `openssl` `X509VerifyParamRef::set_host` buffer over-read

When this function was passed an empty string, `openssl` would attempt to call `strlen` on it, reading arbitrary memory until it reached a NUL byte.

GHSA-564w-97r7-c6p9: Livebook Desktop's protocol handler can be exploited to execute arbitrary command on Windows

On Windows, it is possible to open a `livebook://` link from a browser which opens Livebook Desktop and triggers arbitrary code execution on victim's machine. Any user using Livebook Desktop on Windows is potentially vulnerable to arbitrary code execution when they expect Livebook to be opened from browser.

GHSA-wfg4-322g-9vqv: memoffset allows reading uninitialized memory

memoffset allows attempt of reading data from address `0` with arbitrary type. This behavior is an undefined behavior because address `0` to `std::mem::size_of<T>` may not have valid bit-pattern with `T`. Old implementation dereferences uninitialized memory obtained from `std::mem::align_of`. Older implementation prior to it allows using uninitialized data obtained from `std::mem::uninitialized` with arbitrary type then compute offset by taking the address of field-projection. This may also result in an undefined behavior for "father" that includes (directly or transitively) type that [does not allow to be uninitialized](https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html). This flaw was corrected by using `std::ptr::addr_of` in <https://github.com/Gilnaa/memoffset/pull/50>.

GHSA-5wrg-8fxp-cx9r: passport-wsfed-saml2 Signature Bypass vulnerability

## Information Please note that this is not a new disclosure, and is previously reported in our [SECURITY-NOTICE.md](https://github.com/auth0/passport-wsfed-saml2/commit/520b9fc0bb4249ce83bec47e30153419f086ab70 ) which we removed in favor of github advisory. # Overview A vulnerability was found in the validation of a SAML signature. The validation doesn't ensure that the "Signature" tag is at the proper location inside an "Assertion" tag. This leads to a signature relocation attack where the attacker can corrupt one field of data while maintaining the signature valid. This could allow an authenticated attacker to "remove" one group from the assertion or corrupt another field of an assertion. # Am I affected? You are affected if you are using the passport-wsfed-saml2 library to version < 3.0.10 # How do I fix it? You may fix this issue by upgrading passport-wsfed-saml2 library to version 3.0.10 or above. # Will the fix impact my users? This fix patches the library that your ap...

GHSA-wg6p-jmpc-xjmr: Backstage Scaffolder plugin has insecure sandbox

The Backstage scaffolder-backend plugin uses a templating library that requires a sandbox, as it by design allows for code injection. The library used for this sandbox so far has been `vm2`, but in light of several past vulnerabilities and existing vulnerabilities that may not have a fix, the plugin has switched to using a different sandbox library. ### Impact A malicious actor with write access to a registered scaffolder template could manipulate the template in a way that allows for remote code execution on the scaffolder-backend instance. This was only exploitable in the template YAML definition itself and not by user input data. ### Patches This is vulnerability is fixed in version 1.15.0 of `@backstage/plugin-scaffolder-backend`. ### Workarounds Note that the [Backstage Threat Model](https://backstage.io/docs/overview/threat-model) states that scaffolder templates are considered to be a sensitive area that with the recommendation that you control access and perform manual r...