ghsa

All versions of the package semver-tags are vulnerable to Command Injection via the getGitTagsRemote function due to improper input sanitization.

An improper neutralization of input during web page generation ('Cross-site Scripting') [CWE-79] vulnerability in Sling App CMS version 1.1.4 and prior may allow an authenticated remote attacker to perform a reflected cross-site scripting (XSS) attack in multiple features. Upgrade to Apache Sling App CMS >= 1.1.6

Code Injection in GitHub repository froxlor/froxlor prior to 2.0.10.

`tokio::io::ReadHalf<T>::unsplit` can violate the `Pin` contract The soundness issue is described in the [tokio/issues#5372](https://github.com/tokio-rs/tokio/issues/5372) Specific set of conditions needed to trigger an issue (a !Unpin type in ReadHalf) is unusual, combined with the difficulty of making any arbitrary use-after-free exploitable in Rust without doing a lot of careful alignment of data types in the surrounding code. The `tokio` feature `io-util` is also required to be enabled to trigger this soundness issue. Thanks to zachs18 reporting the issue to Tokio team responsibly and taiki-e and carllerche appropriately responding and fixing the soundness bug. Tokio before 0.2.0 used `futures` 0.1 that did not have `Pin`, so it is not affected by this issue.

### Impact If JavaScript-based PayPal checkout methods are used (PayPal Plus, Smart Payment Buttons, SEPA, Pay Later, Venmo, Credit card), the amount and item list sent to PayPal may not be identical to the one in the created order. ### Patches The problem has been fixed with version 5.4.4 ### Workarounds Disable the aforementioned payment methods or use the Security Plugin in version >= 1.0.21. ### References [Shopware blog post](https://news.shopware.com/security-issue-in-paypal-plugin-update-required)

An Insecure Permissions issue in jeecg-boot 2.4.5 and earlier allows remote attackers to gain escalated privilege and view sensitive information via api uri: /sys/user/querySysUser?username=admin.

An Insecure Permissions issue in jeecg-boot 2.4.5 allows unauthenticated remote attackers to gain escalated privilege and view sensitive information via the httptrace interface.

Cross Site Scripting (XSS) vulnerability in automad 1.7.5 allows remote attackers to run arbitrary code via the user name field when adding a user.

### Impact The annotations feature lets users add annotations on highlighted parts of an entry. The controller does not validate authorization on `PUT` and `DELETE` requests which lets a logged user modify or delete any annotation using their ID on their endpoints `example.org/annotations/{id}`. These vulnerable requests also disclose highlighted parts of the entry to the attacker. You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration. ### Resolution A user check is now done in the vulnerable methods before applying change on an annotation. The Annotation retrieval through a `ParamConverter` has also been replaced with a call to the `AnnotationRepository` in order to prevent any information disclosure through response discrepancy. ### Workarounds ### Credits We would like to thank @bAuh0lz for reporting this issue through huntr.dev. Reference: https://huntr.dev/bounties/8fdd9b31-d89b-4bbe-9557-20...

# Description The export feature lets a user export a single entry or a set of entries in a given format (_e.g. PDF, MOBI, TXT_). For example, `https://yourinstance.wallabag.org/export/45.pdf` will export the entry with id 45 in PDF format. Since wallabag 2.0.0-alpha.1, this feature is vulnerable to an insecure direct object reference attack. A logged user can export any single entry without ownership validation. This is due to a lack of access validation in the `downloadEntryAction` method. **You should immediately patch your instance to version 2.5.3 or higher if you have more than one user and/or having open registration.** # Resolution A user check is now done in the vulnerable method before sending the exported entry. The `Entry` retrieval through a `ParamConverter` has also been replaced with a call to the `EntryRepository` in order to prevent any information disclosure through response discrepancy. # Workaround If you are unable to update to the latest version or if yo...