Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-q6mp-562x-ggvv: Cross-site Scripting in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

ghsa
Open in Source
#xss#web#git
GHSA-p64x-8rxx-wf6q: SQL Injection in Django

An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.

GHSA-735f-pg76-fxc4: Heap memory corruption with RSA private key operation

The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue.

GHSA-5pg2-qg87-vmj7: Cross-site Scripting in microweber

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 1.2.19.

GHSA-v923-w3x8-wh69: Improper session management in passport

This affects the package passport before 0.6.0. When a user logs in or logs out, the session is regenerated instead of being closed.

GHSA-8jmw-wjr8-2x66: Command injection in git-clone

All versions of package git-clone are vulnerable to Command Injection due to insecure usage of the --upload-pack feature of git.

GHSA-7mwh-4pqv-wmr8: Regular expression denial of service in scss-tokenizer

All versions of package scss-tokenizer are vulnerable to Regular Expression Denial of Service (ReDoS) via the loadAnnotation() function, due to the usage of insecure regex.

GHSA-h9cw-7g8j-h66h: Server-Side Request Forgery in link-preview-js

The package link-preview-js before 2.1.17 are vulnerable to Server-side Request Forgery (SSRF) which allows attackers to send arbitrary requests to the local network and read the response. This is due to flawed DNS rebinding protection.

GHSA-3829-mgmw-jcg4: Prototype Pollution in deep.assign

deep.assign npm package 0.0.0-alpha.0 is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution').

GHSA-2m4x-4q9j-w97g: Denial of service in Open Policy Agent

An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service (DoS) via a crafted input.