ghsa

XXL-JOB versions 2.2.0 and prior contain a Command execution vulnerability in background tasks.

rdiffweb prior to version 2.4.9 is vulnerable to Use of Cache Containing Sensitive Information. Due to improper cache control, an attacker can view sensitive information even if they are not logged into an account. Version 2.4.9 contains a patch for this issue.

### Impact A threat actor can bypass the sandbox protections to gain remote code execution rights on the host running the sandbox. ### Patches This vulnerability was patched in the release of version `3.9.11` of `vm2` ### Workarounds None. ### References Github Issue - https://github.com/patriksimek/vm2/issues/467 The file that was patched - https://github.com/patriksimek/vm2/blob/master/lib/setup-sandbox.js#L71 The commit with the patch - https://github.com/patriksimek/vm2/commit/d9a7f3cc995d3d861e1380eafb886cb3c5e2b873#diff-b1a515a627d820118e76d0e323fe2f0589ed50a1eacb490f6c3278fe3698f164 ### For more information If you have any questions or comments about this advisory: * Open an issue in [VM2](https://github.com/patriksimek/vm2)

Strapi before 3.6.10 and 4.x before 4.1.10 mishandles hidden attributes within admin API responses.

Bifrost is a middleware package which can synchronize MySQL/MariaDB binlog data to other types of databases. Versions 1.8.6-release and prior are vulnerable to authentication bypass when using HTTP basic authentication. This may allow group members who only have read permissions to write requests when they are normally forbidden from doing so. Version 1.8.7-release contains a patch. There are currently no known workarounds.

### Impact dparse versions prior to 0.5.1 contain a regular expression that is vulnerable to [ReDoS](https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS) (Regular Expression Denial of Service). All users parsing index server URLs with dparse are impacted by this vulnerability. ### Patches The Patch is applied in the `0.5.2` version, all users are recommended to upgrade as soon as possible. ### Workarounds Avoid passing index server URLs in the source file to be parsed. ### References [https://github.com/pyupio/dparse/tree/security/remove-intensive-regex](https://github.com/pyupio/dparse/tree/security/remove-intensive-regex) ### For more information If you have any questions or comments about this advisory: * Email us at [[email protected]](mailto:[email protected])

The package joblib from 0 and before 1.2.0 is vulnerable to Arbitrary Code Execution via the `pre_dispatch` flag in `Parallel()` class due to the `eval()` statement.

The package express-xss-sanitizer before 1.1.3 is vulnerable to Prototype Pollution via the `allowedTags` attribute, allowing the attacker to bypass xss sanitization.

rdiffweb prior to 2.4.8 has no limit in length of root directory names. Allowing users to enter long strings may result in a DOS attack or memory corruption. Version 2.4.8 defines a field limit for username, email, and root directory.

rdiffweb prior to version 2.4.8 is vulnerable to Improper Cleanup on Thrown Exception. This could allow an attacker to display a message of their choice onto a web page. Version 2.4.8 contains a fix for this issue.