ghsa

Metro UI v4.4.0 to v4.5.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function. User input is not properly sanitized before rendering in the `textarea` component.

### Impact An attacker can send an invalid `Content-Type` header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected. (This was updated: upon a close inspection, v3.x is not affected after all). ### Patches Yes, update to `> v4.8.0`. ### Workarounds You can reject the malicious content types before the body parser enters in action. ```js const badNames = Object.getOwnPropertyNames({}.__proto__) fastify.addHook('onRequest', async (req, reply) => { for (const badName of badNames) { if (req.headers['content-type'].indexOf(badName) > -1) { reply.code(415) throw new Error('Content type not supported') } } }) ``` ### References See the HackerOne report [#1715536](https://hackerone.com/bugs?report_id=1715536&subject=fastify) ### For more information [Fastify security policy](https://github.com/fastify/fastify/security/policy)

### Impact There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. ### Patches Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8 Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5 ### Workarounds No workaround. ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

### Impact Debug logs expose sensitive URLs for Slack webhooks that contain private information. ### Patches The problem is fixed in v1.3.2 which redacts sensitive URLs for webhooks. ### Workarounds Disabling/filtering debug logs in case you use Slack webhooks using tracing log level and filters. ### References https://github.com/abdolence/slack-morphism-rust/releases/tag/v1.3.2 ### For more information If you have any questions or comments about this advisory: * Open an issue in [repo](https://github.com/abdolence/slack-morphism-rust) * Read our [security policy](https://github.com/abdolence/slack-morphism-rust/blob/master/SECURITY.md)

### Impact _What kind of vulnerability is it? Who is impacted?_ The default cookie name (and documentation recommendation) was prefixed with `Host__` instead of `__Host-`. The point of this prefix is for additional security, to ensure that, when no domain option is provided in the cookie options, we can guarantee the cookie came from the correct domain. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Yes, the problem is patched from version 2.2.1, this will not be back ported, but you can use the workaround described below. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ You can work around this by providing a custom `cookieName` as part of the options, which is correctly prefixed with `__Host-`. ### References _Are there any links users can visit to find out more?_ https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#cookie-with-__host-prefix ...

A lack of user input validation leads to an open redirect vulnerability in rdiffweb prior to 2.5.0a4.

### Impact Weak encryption on CSRF so tokens can be read by malicious attackers. ### Patches Problems have been patched as of v1.1.0 ### Workarounds Upgrade to v1.1.0 ### References https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html ### For more information Submit an issue at [the github repo](https://github.com/valexandersaulys/tiny-csrf)

### Impact An authenticated user can perform a remote Denial of Service attack against Fat Free CRM. This vulnerability has been assigned the CVE identifier: CVE-2022-39281 Affected versions: All Not affected: None Fixed versions: 0.20.1 All users running an affected release should either upgrade or apply the patch immediately. ### Releases Fixed versions: 0.20.1 and above ### Patches If you are unable to upgrade immediately, you should apply the following patch. ``` diff --git a/app/models/polymorphic/task.rb b/app/models/polymorphic/task.rb index d3d5c32c..7cdb24d6 100644 --- a/app/models/polymorphic/task.rb +++ b/app/models/polymorphic/task.rb @@ -189,6 +189,7 @@ class Task < ActiveRecord::Base #---------------------------------------------------------------------------- def self.bucket_empty?(bucket, user, view = "pending") return false if bucket.blank? || !ALLOWED_VIEWS.include?(view) + return false unless Setting.task_bucket.map(&:to_s).include?(bucket.to_s) ...

In Apache Airflow, prior to version 2.4.1, deactivating a user wouldn't prevent an already authenticated user from being able to continue using the UI or API.

NocoDB prior to 0.92.0 allows actors to insert large characters into the input field `New Project` on the create field, which can cause a Denial of Service (DoS) via a crafted HTTP request. Version 0.92.0 fixes this issue.