Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-25c3-7fvj-v45j: phpMyFAQ Stored Cross-site Scripting vulnerability

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

ghsa
Open in Source
#xss#vulnerability#git#php
GHSA-g92r-9rxw-cmgx: phpMyFAQ Improper Authentication vulnerability

Improper Authentication in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

GHSA-6449-vf6p-9hfp: thorsten/phpmyfaq is vulnerable to cross-site scripting (XSS)

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.10.

GHSA-q3rm-f527-ghxj: Publify Improper Input Validation vulnerability

Improper Input Validation in GitHub repository publify/publify prior to 9.2.10.

GHSA-7cxr-h8wm-fg4c: Apache Shiro Interpretation Conflict vulnerability

When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: `spring.mvc.pathmatch.matching-strategy = ant_path_matcher`

GHSA-crhg-xgrg-vvcc: a12nserver vulnerable to potential SQL Injections via Knex dependency

### Impact Users of a12nserver that use MySQL might be vulnerable to SQL injection bugs. If you use a12nserver and MySQL, update as soon as possible. This SQL injection bug might let an attacker obtain OAuth2 Access Tokens for users unrelated to those that permitted OAuth2 clients. ### Patches The knex dependency has been updated to 2.4.0 in a12nserver 0.23.0 ### Workarounds No further workarounds ### References * https://github.com/knex/knex/issues/1227 * https://nvd.nist.gov/vuln/detail/CVE-2016-20018 * https://www.ghostccamm.com/blog/knex_sqli/

GHSA-m589-mv4q-p7rj: webbrowser-rs allows attackers to access arbitrary files via supplying a crafted URL

An issue in the IpFile argument of rust-lang webbrowser-rs v0.8.2 allows attackers to access arbitrary files via supplying a crafted URL.

GHSA-5v8v-gwmw-qw97: org.neo4j.procedure:apoc Path Traversal Vulnerability

### Impact A Path Traversal Vulnerability found in the apoc.export.* procedures of apoc plugins in Neo4j Graph database. The issue allows a malicious actor to potentially break out of the expected directory. The vulnerability is such that files could only be created but not overwritten. For the vulnerability to be exploited, an attacker would need access to execute an arbitrary query, either by having access to an authenticated Neo4j client, or a Cypher injection vulnerability in an application. The procedure would need to have been allow listed in the neo4j configuration as well as having the apoc config `apoc.export.file.enabled` set to true. On a UNIX based system the following query allows arbitrary write access to the tmp folder: CALL apoc.export.csv.query('RETURN 1', 'file:///..//..//..//..//tmp/test.txt', {}) ### Patches The users should aim to use the latest released version compatible with their Neo4j version. The minimum versions containing patch for this vulnerability a...

GHSA-vhvq-jh34-3fc8: Keycloak allows impersonation and lockout due to email trust not being handled correctly

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

GHSA-jmj6-p2j9-68cp: Wildfly-elytron possibly vulnerable to timing attacks via use of unsafe comparator

wildfly-elytron: possible timing attacks via use of unsafe comparator. A flaw was found in Wildfly-elytron. Wildfly-elytron uses `java.util.Arrays.equals` in several places, which is unsafe and vulnerable to timing attacks. To compare values securely, use `java.security.MessageDigest.isEqual` instead. This flaw allows an attacker to access secure information or impersonate an authed user.