ghsa

A bypass has been found that allows an attacker to upload an SVG with persistent XSS. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. Any data within a CDATA node will now be sanitised using [HTMLPurifier](https://github.com/ezyang/htmlpurifier). We've also removed many of the HTML and MathML elements from the allowed element list, as without `ForiegnObject`, they're not legal within the SVG context. Additional tests have been added to the test suite to account for these new bypasses. ### Impact This impacts all users of the `svg-sanitizer` library. ### Patches This issue is fixed in 0.16.0 and higher. ### Workarounds There is currently no workaround available without upgrading. ### For more information If you have any questions or comments about this advisory: Open an issue in [Github](https://github.com/darylldoyle/svg-sanitizer/issues) Email us at [daryll@ens...

### Impact Unsecured tooltip field in DataObject class definition. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14574.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14574.patch manually. ### References

### Impact Stored XSS vulnerability at Expiry field in the Redirects module. This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14562.patch ### Workarounds Apply patch manually https://github.com/pimcore/pimcore/pull/14562.patch ### References https://huntr.dev/bounties/ae0f2ec4-a245-4d0b-9d4d-bd8310dd6282/

### Impact This vulnerability has the potential to steal a user's cookie and gain unauthorized access to that user's account through the stolen cookie or redirect users to other malicious sites. ### Patches Update to version 10.5.19 or apply this patch manually https://github.com/pimcore/pimcore/pull/14631.patch ### Workarounds Apply https://github.com/pimcore/pimcore/pull/14631.patch manually. ### References https://huntr.dev/bounties/82adf0dd-8ebd-4d15-9f91-6060c8fa5a0d/

Excessive Iteration vulnerability in Apache Software Foundation Apache Sling Resource Merger. This issue affects Apache Sling Resource Merger: from 1.2.0 before 1.4.2.

Cross-site Scripting (XSS) - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0.

jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.

api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication.

Versions of the package collection.js before 6.8.1 are vulnerable to Prototype Pollution via the `extend` function in `Collection.js/dist/node/iterators/extend.js`.

## Description snappy is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the `file_exists()` function. If an attacker can upload files of any type to the server he can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution especially when snappy is used with frameworks with documented POP chains like Laravel/Symfony vulnerable developer code. If user can control the output file from the `generateFromHtml()` function, it will invoke deserialization. ## Proof of Concept Install Snappy via composer require `knplabs/knp-snappy`. After that, under snappy directory, create an `index.php` file with this vulnerable code. ```php <?php // index.php // include autoloader require __DIR__ . '/vendor/autoload.php'; // reference the snappy namespace use Knp\Snappy\Pdf; // vulnerable object class VulnerableClass { public $fileName; public $callback; ...