ghsa

### Summary CVEs on latest 3.1.1 ### Details ## SECURITY ISSUES ### CVE-2024-1681: flask-core <4.0.1 latest version of taipi 3.1.1 needs <=4.0.0 ### CVE-2024-5629: pymongo <4.6.3 #latest version of taipi 3.1.1 needs <=4.6.1 ### PoC please upgrade to these versions ### Impact pre-commit breaks

Hi, Webpack developer team! ### Summary We discovered a DOM Clobbering vulnerability in Webpack’s `AutoPublicPathRuntimeModule`. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an `img` tag with an unsanitized `name` attribute) are present. We found the real-world exploitation of this gadget in the Canvas LMS which allows XSS attack happens through an javascript code compiled by Webpack (the vulnerable part is from Webpack). We believe this is a severe issue. If Webpack’s code is not resilient to DOM Clobbering attacks, it could lead to significant security vulnerabilities in any web application using Webpack-compiled code. ### Details #### Backgrounds DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) livin...

### Summary The Chisel server doesn't ever read the documented `AUTH` environment variable used to set credentials, which allows any unauthenticated user to connect, even if credentials were set. This advisory is a formalization of a report sent to the maintainer via email. ### Details In the help page for the `chisel server` subcommand, it mentions an `AUTH` environment variable that can be set in order to provide credentials that the server should authenticate connections against: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L138. The issue is that the server entrypoint doesn't ever read the `AUTH` environment variable. The only place that this happens is in the client entrypoint: https://github.com/jpillora/chisel/blob/3de177432cd23db58e57f376b62ad497cc10840f/main.go#L452 This subverts the expectations set by the documentation, allowing unauthenticated users to connect to a Chisel server, even if auth is attempted to be set up in this m...

## Impact Instances of the Apollo Router using either of the following may be impacted by a denial-of-service vulnerability. 1. External Coprocessing with specific configurations; or 2. Native Rust Plugins accessing the Router request body in the RouterService layer Router customizations using Rhai scripts are **not** impacted. ### When using External Coprocessing: Instances of the Apollo Router running versions >=1.21.0 and <1.52.1 are impacted by a denial-of-service vulnerability if **all** of the following are true: 1. Router has been configured to support External Coprocessing. 2. Router has been configured to send request bodies to coprocessors. This is a non-default configuration and must be configured intentionally by administrators. You can identify if you are impacted by reviewing your router's configuration YAML for the following config: ```yaml ... coprocessor: url: http://localhost:9000 # likely different in your environment router: request: body: tru...

### Impact Instances of @apollo/query-planner >=2.0.0 and <2.8.5 are impacted by a denial-of-service vulnerability. @apollo/gateway versions >=2.0.0 and < 2.8.5 and Apollo Router <1.52.1 are also impacted through their use of @apollo/query-planner. If @apollo/query-planner is asked to plan a sufficiently complex query, it may loop infinitely and never complete. This results in unbounded memory consumption and either a crash or out-of-memory (OOM) termination. This issue can be triggered if you have at least one non-`@key` field that can be resolved by multiple subgraphs. To identify these shared fields, the schema for each subgraph must be reviewed. The mechanism to identify shared fields varies based on the version of Federation your subgraphs are using. You can check if your subgraphs are using Federation 1 or Federation 2 by reviewing their schemas. Federation 2 subgraph schemas will contain a `@link` directive referencing the version of Federation being used while Federation 1 ...

An Unauthenticated Denial of Service (DoS) vulnerability exists in Flowise version 1.8.2 leading to a complete crash of the instance running a vulnerable version due to improper handling of user supplied input to the `/api/v1/get-upload-file` api endpoint.

An Authentication Bypass vulnerability exists in Flowise version 1.8.2. This could allow a remote, unauthenticated attacker to access API endpoints as an administrator and allow them to access restricted functionality.

A cross-site scripting (XSS) vulnerability in the Create Product function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

A cross-site scripting (XSS) vulnerability in the Config-Create function of fastapi-admin pro v0.1.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Product Name parameter.

### Impact When using the `Extract()` method of unzip-stream, malicious zip files were able to write to paths they shouldn't be allowed to. ### Patches Fixed in 0.3.2 ### References - https://snyk.io/research/zip-slip-vulnerability - https://github.com/mhr3/unzip-stream/compare/v0.3.1...v0.3.2 ### Credits Justin Taft from Google