ghsa

Observable Response Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

Observable Timing Discrepancy in GitHub repository answerdev/answer prior to 1.0.6.

Business Logic Errors in GitHub repository answerdev/answer prior to 1.0.6.

Cross-site Scripting (XSS) - Stored in GitHub repository answerdev/answer prior to 1.0.7.

Authentication Bypass by Capture-replay in GitHub repository answerdev/answer prior to 1.0.6.

Insufficient Session Expiration in GitHub repository answerdev/answer prior to 1.0.6.

# SSRF vulnerability ## Summary When CairoSVG processes an SVG file, it can make requests to the inner host and different outside hosts. ## Operating system, version and so on Linux, Debian (Buster) LTS core 5.10 / Parrot OS 5.1 (Electro Ara), python 3.9 ## Tested CairoSVG version 2.6.0 ## Details A specially crafted SVG file that loads an external resource from a URL. Remote attackers could exploit this vulnerability to cause a scan of an organization's internal resources or a DDOS attack on external resources. It looks like this bug can affect websites and cause request forgery on the server. ## PoC 1. Generating malicious svg file: 1.1 CairoSVG_exploit.svg: ```svg <?xml version="1.0" standalone="yes"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <image height="200" width="200" xlink:href...

### Impact Applications that use kaml to parse untrusted input containing anchors and aliases may consume excessive memory and crash. ### Patches Version 0.53.0 and later default to refusing to parse YAML documents containing anchors and aliases. ### Workarounds None. ### References Wikipedia has an explanation of this class of vulnerability: [billion laughs attack](https://en.wikipedia.org/wiki/Billion_laughs_attack) ### Acknowledgements Thank you to @gdude2002 for reporting this issue.

A bug in error handling in the `stb_image` C library could cause a NULL pointer dereference when attempting to load an invalid or unsupported image file. This is fixed in version 0.2.5 and later of the `stb_image` Rust crate, by patching the C code to correctly handle NULL pointers. Thank you to GitHub user 0xdd96 for finding and fixing this vulnerability.

A bypass has been found that allows an attacker to upload an SVG with persistent XSS. HTML elements within CDATA needed to be sanitized correctly, as we were converting them to a textnode and therefore, the library wasn't seeing them as DOM elements. Any data within a CDATA node will now be sanitised using [HTMLPurifier](https://github.com/ezyang/htmlpurifier). We've also removed many of the HTML and MathML elements from the allowed element list, as without `ForiegnObject`, they're not legal within the SVG context. Additional tests have been added to the test suite to account for these new bypasses. ### Impact This impacts all users of the `svg-sanitizer` library. ### Patches This issue is fixed in 0.16.0 and higher. ### Workarounds There is currently no workaround available without upgrading. ### For more information If you have any questions or comments about this advisory: Open an issue in [Github](https://github.com/darylldoyle/svg-sanitizer/issues) Email us at [daryll@ens...