ghsa

Improper Authorization in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).

### Impact Attestation *user data* (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster. ### Patches The issue has been patched in [v2.5.2](https://github.com/edgelesssys/constellation/releases/tag/v2.5.2). ### Workarounds none

Authentication vulnerability in MOSN before v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization.

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.