Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-833c-xh79-p429: A potential risk in clusternet which can be leveraged to make a cluster-level privilege escalation

## Summary: A potential risk in clusternet which can be leveraged to make a cluster-level privilege escalation. ## Detailed analysis: The clusternet has a deployment called cluster-hub inside the clusternet-system Kubernetes namespace, which runs on worker nodes randomly. The deployment has a service account called clusternet-hub, which has a cluster role called clusternet:hub via cluster role binding. The clusternet:hub cluster role has "*" verbs of "*.*" resources. Thus, if a malicious user can access the worker node which runs the clusternet, he/she can leverage the service account to do malicious actions to critical system resources. For example, he/she can leverage the service account to get ALL secrets in the entire cluster, resulting in cluster-level privilege escalation.

ghsa
Open in Source
#git#kubernetes
GHSA-3qj8-93xh-pwh2: Starlette allows an unauthenticated and remote attacker to specify any number of form fields or files

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

GHSA-mj9r-fpv3-rgfx: Shopware vulnerable to cross-site scripting (XSS)

Shopware v5.5.10 was discovered to contain a cross-site scripting (XSS) vulnerability.

GHSA-67mg-gm8m-ph5r: Improper Authorization in modoboa

In modoboa prior to 2.1.0, sending a GET request to the endpoint `/api/v2/parameters/core/` returns sensitive information without any authentication or authorization.

GHSA-6pvf-cq4f-hfjp: modoboa vulnerable to Cross-Site Request Forgery

modoboa prior to 2.1.0 is vulnerable to cross-site request forgery. An attacker must be logged in as admin to exploit this issue.

GHSA-h3r8-h5qw-4r35: sidekiq vulnerable to cross-site scripting

sidekiq prior to 7.0.8 is vulnerable to reflected cross-site scripting.

GHSA-g66v-3v62-g375: RosarioSIS improper access control vulnerability

RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser's back button.

GHSA-jgg7-w2rj-58cj: XWiki Platform vulnerable to privilege escalation from view right on XWiki.Notifications.Code.LegacyNotificationAdministration

### Impact Steps to reproduce: Open <xwiki-host>/xwiki/bin/view/XWiki/Notifications/Code/LegacyNotificationAdministration?since=%7B%7B%2Fhtml%7D%7D+%7B%7Basync+async%3D%22true%22+cached%3D%22false%22+context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln%28%22Hello+%22+%2B+%22from+groovy%21%22%29%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D, where <xwiki-host> is the URL of your XWiki installation. This demonstrates an XWiki syntax injection attack via the since-parameter, allowing privilege escalation from view to programming rights. ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8 and 14.10.3. ### Workarounds For versions >= 14.6-rc-1 the workaround is to modify the page `XWiki.Notifications.Code.LegacyNotificationAdministration` to add the missing escaping, as described on https://github.com/xwiki/xwiki-platform/commit/8e7c7f90f2ddaf067cb5b83b181af41513028754#diff-4e13f4ee4a42938bf1201b7ee71ca32edeacba22559daf0bcb89d534e0225949R70 For vers...

GHSA-jgrg-qvpp-9vwr: XWiki Platform vulnerable to code injection from account through AWM view sheet

### Impact Steps to reproduce: 1. As a user without script or programming right, edit your user profile (or any other document) with the wiki editor and add the content `{{groovy}}println("Hello " + "from Groovy!"){{/groovy}}` 1. Edit the document with the object editor and add an object of type AppWithinMinutes.LiveTableClass (no values need to be set, just save) 1. View the document ### Patches The vulnerability has been patched in XWiki 15.0-rc-1 and 14.10.3. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20423 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])

GHSA-gpq5-7p34-vqx5: XWiki Platform's async and display macro allow displaying and interacting with any document in restricted mode

### Impact It's possible to display any page you cannot access through the combination of the async and display macro. Steps to reproduce: 1. Enable comments for guests by giving guests comment rights 2. As a guest, create a comment with content ```{{async}}{{display reference="Menu.WebHome" /}}{{/async}}``` 3. Open the comments viewer from the menu (appends ?viewer=comments to the URL) -> the `Menu.WebHome` is displayed while the expectation would be to have an error that the current user is not allowed to see it ### Patches The vulnerability has been patched in XWiki 15.0-rc-1, 14.10.3, 14.4.8, and 13.10.11. ### Workarounds There is no known workaround. ### References https://jira.xwiki.org/browse/XWIKI-20394 https://jira.xwiki.org/browse/XRENDERING-694 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://jira.xwiki.org/) * Email us at [Security Mailing List](mailto:[email protected])