Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-qh6w-pq52-qxxq: Pixelfed may allow unauthorized actor to view private posts

Improper Authorization in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

ghsa
#git#auth
GHSA-vjxx-jgcx-9fq2: Pixelfed allows user enumeration via reset password functionality

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pixelfed/pixelfed 0.11.4 and prior.

GHSA-jrmh-v64j-mjm9: Insecure Temporary File in RESTEasy

In RESTEasy the insecure File.createTempFile() is used in the DataSourceProvider, FileProvider and Mime4JWorkaround classes which creates temp files with insecure permissions that could be read by a local user.

GHSA-q82h-q47j-f492: Cross-site Scripting in jspreadsheet

The dropdown menu in jspreadsheet before v4.6.0 was discovered to be vulnerable to cross-site scripting (XSS).

GHSA-r2h5-3hgw-8j34: User data in TPM attestation vulnerable to MITM

### Impact Attestation *user data* (such as the digest of the public key in an aTLS connection) was bound to the issuer's TPM, but not to its PCR state. An attacker could intercept a node initialization, initialize the node themselves, and then impersonate an uninitialized node to the validator. In practice, this meant that a CSP insider with sufficient privileges would have been able to join a node under their control to a Constellation cluster. ### Patches The issue has been patched in [v2.5.2](https://github.com/edgelesssys/constellation/releases/tag/v2.5.2). ### Workarounds none

GHSA-5vx9-j5cw-47vq: Privilege escalation in MOSN

Authentication vulnerability in MOSN before v.0.23.0 allows attacker to escalate privileges via case-sensitive JWT authorization.

GHSA-vvpx-j8f3-3w6h: Uncontrolled Resource Consumption

A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient to cause a denial of service from a small number of small requests.

GHSA-qgc7-mgm3-q253: Uncontrolled Resource Consumption

An attacker can craft a malformed TIFF image which will consume a significant amount of memory when passed to DecodeConfig. This could lead to a denial of service.

GHSA-f9c6-4j9h-6c5r: Misinterpretation of Input in thorsten/phpmyfaq

Misinterpretation of Input in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

GHSA-vp4r-h765-5mwp: Code Injection in froxlor/froxlor

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.11.