ghsa

Due to improper type validation in the `socket.io-parser` library (which is used by the `socket.io` and `socket.io-client` packages to encode and decode Socket.IO packets), it is possible to overwrite the _placeholder object which allows an attacker to place references to functions at arbitrary places in the resulting query object. Example: ```js const decoder = new Decoder(); decoder.on(\"decoded\", (packet) => { console.log(packet.data); // prints [ 'hello', [Function: splice] ] }) decoder.add('51-[\"hello\",{\"_placeholder\":true,\"num\":\"splice\"}]'); decoder.add(Buffer.from(\"world\")); ``` This bubbles up in the `socket.io` package: ```js io.on(\"connection\", (socket) => { socket.on(\"hello\", (val) => { // here, \"val\" could be a reference instead of what the user expected }); }); ``` At first sight, the potential impact seems rather limited, but please upgrade to a safe version as soon as possible. This should be fixed by: - https://github.com/socketio/socket....

### Impact This impacts users that use shescape to escape arguments: - for the Unix shell Bash, or any not-officially-supported Unix shell; - using the `escape` or `escapeAll` functions with the `interpolation` option set to `true`. An attacker can cause polynomial backtracking in terms of the input string length due to a Regular Expression in shescape that is vulnerable to Regular Expression Denial of Service (ReDoS). Example: ```javascript import * as shescape from "shescape"; /* 1. Prerequisites */ const options = { interpolation: true, // and shell: "/bin/bash", // or shell: "some-not-officially-supported-shell", // or shell: undefined, // Only if the system's default shell is bash or an unsupported shell. }; /* 2. Attack */ let userInput = '{,'.repeat(150_000); // polynomial backtracking /* 3. Usage */ shescape.escape(userInput, options); // or shescape.escapeAll([userInput], options); ``` ### Patches This bug has been patched in [v1.6.1](https://github.com/...

### Impact A custom stateful precompile can use the `is_static` parameter to determine if the call is executed in a static context (via `STATICCALL`), and thus decide if stateful operations should be done. Previously, the passed `is_static` parameter was incorrect -- it was only set to `true` if the call comes from a **direct** `STATICCALL` opcode. However, once a static call context is entered, it should stay static. The issue only impacts custom precompiles that actually uses `is_static`. The maintainers estimate the usage is low. However, for those affected, it can lead to possible incorrect state transitions. ### Patches PR: https://github.com/rust-blockchain/evm/pull/133 Released in v0.36.0. Older patch versions can be released on request if anyone needs them. Simply contact @sorpaas by email to request it. ### For more information If you have any questions or comments about this advisory: * Open an issue in [evm repo](https://github.com/rust-blockchain/evm) * Email Wei at...

### Impact Gin-vue-admin < 2.5.4 has File upload vulnerabilities。 File upload vulnerabilities are when a web server allows users to upload files to its filesystem without sufficiently validating things like their name, type, contents, or size. Failing to properly enforce restrictions on these could mean that even a basic image upload function can be used to upload arbitrary and potentially dangerous files instead. This could even include server-side script files that enable remote code execution. ### Patches https://github.com/flipped-aurora/gin-vue-admin/pull/1264 ### Workarounds https://github.com/flipped-aurora/gin-vue-admin/pull/1264 ### References #1263 ### For more information The plugin installation function of Gin-Vue-Admin allows users to download zip packages from the plugin market and upload them for installation. This function has an arbitrary file upload vulnerability. A malicious attacker can upload a constructed zip package to traverse the directory and upload or ...

### Impact Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request. ### Patches The problem was patched in version https://github.com/zalando/skipper/releases/tag/v0.13.237. Users need to upgrade to skipper `>=v0.13.237`. ### Workarounds Use `dropRequestHeader("X-Skipper-Proxy")` filter ### References https://github.com/zalando/skipper/releases/tag/v0.13.237 ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/zalando/skipper/issues/new/choose * Chat with us in slack: https://app.slack.com/client/T029RQSE6/C82Q5JNH5

When sending Matrix requests using an affected version of `matrix-sdk` in an application that writes logs using `tracing-subscriber` (in a way that includes fields of tracing spans such as `tracing_subscriber`s default text output from the `fmt` module), these logs will contain the user's access token.

### Description Due to the common practice of providing vulnerability details in markdown format, the Dependency-Track frontend renders them using the JavaScript library [Showdown](https://github.com/showdownjs/showdown). Showdown [does not have any XSS countermeasures built in](https://github.com/showdownjs/showdown/wiki/Markdown's-XSS-Vulnerability-(and-how-to-mitigate-it)), and versions before 4.6.1 of the Dependency-Track frontend did not encode or sanitize Showdown's output. This made it possible for arbitrary JavaScript included in vulnerability details via HTML attributes to be executed in context of the frontend. ### Impact Actors with the `VULNERABILITY_MANAGEMENT` permission can exploit this weakness by creating or editing a custom vulnerability and providing XSS payloads in any of the following fields: * Description * Details * Recommendation * References The payload will be executed for users with the `VIEW_PORTFOLIO` permission when browsing to the modified vulnerabil...

### Overview During our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions. ### Am I affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` and you added a tuple with a wildcard (*) assigned to a tupleset relation (the right hand side of a ‘from’ statement). ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is not backward compatible with any authorization model that uses wildcard on a tupleset relation.

### Overview During our internal security assessment, it was discovered that OpenFGA versions `v0.2.3` and prior are vulnerable to authorization bypass under certain conditions. ### Am I Affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior, and your model has a relation defined as a tupleset (the right hand side of a ‘from’ statement) that involves anything other than a direct relationship (e.g. ‘as self’) ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is not backward compatible. Any model involving rewritten tupleset relations will no longer be acceptable and has to be modified.

### Overview During our internal security assessment, it was discovered that `streamed-list-objects` endpoint was not validating the authorization header resulting in the disclosure of objects in the store. ### Am I Affected? You are affected by this vulnerability if you are using `openfga/openfga` version `v0.2.3` or prior and you are exposing the OpenFGA service to the internet. ### How to fix that? Upgrade to version `v0.2.4`. ### Backward Compatibility This update is backward compatible.