ghsa

## Duplicate advisory This advisory has been withdrawn because it is a duplicate of [GHSA-qwx8-mxxx-mg96](https://github.com/advisories/GHSA-qwx8-mxxx-mg96). This link is maintained to preserve external references. ## Original Description Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

## Duplicate advisory This advisory has been withdrawn because it is a duplicate of [GHSA-mrqx-mjc4-vfh3](https://github.com/advisories/GHSA-mrqx-mjc4-vfh3). This link is maintained to preserve external references. ## Original Description Improper Authorization in GitHub repository wallabag/wallabag prior to 2.5.3.

Out-of-bounds Read vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.5.0. Users are advised to upgrade to Apache InLong's latest version or cherry-pick https://github.com/apache/inlong/pull/7214 to solve it.

All versions of the package is-http2 are vulnerable to Command Injection due to missing input sanitization or other checks, and sandboxes being employed to the isH2 function.

Cross-site Scripting (XSS) - DOM in GitHub repository microweber/microweber prior to 1.3.2.

### Summary The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. ### Details The bug occurs during SVG parsing of `<image>` tags, in src/Image/Cache.php : ``` if ($type === "svg") { $parser = xml_parser_create("utf-8"); xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false); xml_set_element_handler( $parser, function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if ($name === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); ``` This part will try to detect `<image>` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass : ``` <svg> <Image xlink:href="phar:///foo"></Ima...

Path resolution in `warp::filters::fs::dir` didn't correctly validate Windows paths meaning paths like `/foo/bar/c:/windows/web/screen/img101.png` would be allowed and respond with the contents of `c:/windows/web/screen/img101.png`. Thus users could potentially read files anywhere on the filesystem. This only impacts Windows. Linux and other unix likes are not impacted by this.

### Impact XSS attack - anyone using the Express API is impacted ### Patches The problem has been resolved. Users should upgrade to version 2.0.0. ### Workarounds Don't pass user supplied data directly to `res.renderFile`. ### References _Are there any links users can visit to find out more?_ See https://github.com/eta-dev/eta/releases/tag/v2.0.0

### Impact Parse Server uses the request header `x-forwarded-for` to determine the client IP address. If Parse Server doesn't run behind a proxy server, then a client can set this header and Parse Server will trust the value of the header. The incorrect client IP address will be used by various features in Parse Server. This allows to circumvent the security mechanism of the Parse Server option `masterKeyIps` by setting an allowed IP address as the `x-forwarded-for` header value. ### Patches The mechanism to determine the client IP address has been rewritten. The correct IP address determination now requires to set the Parse Server option `trustProxy` accordingly, see the express framework's [trust proxy](https://expressjs.com/en/guide/behind-proxies.html) setting. ### References - https://github.com/parse-community/parse-server/security/advisories/GHSA-vm5r-c87r-pf6x - https://expressjs.com/en/guide/behind-proxies.html

ubireader_extract_files is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). This is due to the fact that a node name (dent_node.name) is considered trusted and joined to the extraction directory path during processing, then the node content is written to that joined path. By crafting a malicious UBIFS file with node names holding path traversal payloads (e.g. ../../tmp/outside.txt), it's possible to force ubi_reader to write outside of the extraction directory. This issue affects ubi-reader before 0.8.5.