ghsa

## Summary RSSHub is vulnerable to Server-Side Request Forgery (SSRF) attacks. This vulnerability allows an attacker to send arbitrary HTTP requests from the server to other servers or resources on the network. ## Description An attacker can exploit this vulnerability by sending a request to the affected routes with a malicious URL. For example, if an attacker controls the `ATTACKER.HOST` domain, they can send a request to affected routes with the value set to `ATTACKER.HOST%2F%23`. The `%2F` and `%23` characters are URL-encoded versions of the forward-slash (`/`) and pound (`#`) characters, respectively. In this context, an attacker could use those characters to append the base URL (i.e. `https://${input}.defined.host`) to be modified to `https://ATTACKER.HOST/#.defined.host`. This will cause the server to send a request to the attacker-controlled domain, allowing the attacker to potentially gain access to sensitive information or perform further attacks on the server. ## Proof o...

A vulnerability, which was classified as critical, was found in IonicaBizau node-gry up to 5.x. This affects an unknown part. The manipulation leads to command injection. Upgrading to version 6.0.0 is able to address this issue. The name of the patch is 5108446c1e23960d65e8b973f1d9486f9f9dbd6c. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-218019.

### Impact RefreshTokens is an OAuth 2.0 feature that allows applications to retrieve new access tokens and refresh the user's session without the need for interacting with a UI. RefreshTokens were not invalidated when a user was locked or deactivated. The deactivated or locked user was able to obtain a valid access token only through a refresh token grant. When the locked or deactivated user’s session was already terminated (“logged out”) then it was not possible to create a new session. Renewal of access token through a refresh token grant is limited to the configured amount of time (RefreshTokenExpiration). ### Patches 2.x versions are fixed on >= [2.17.3](https://github.com/zitadel/zitadel/releases/tag/v2.17.3) 2.16.x versions are fixed on >= [2.16.4](https://github.com/zitadel/zitadel/releases/tag/v2.16.4) ZITADEL recommends upgrading to the latest versions available in due course. ### Workarounds Ensure the RefreshTokenExpiration in the OIDC settings of your instance is set ...

### Impact The gatsby-transformer-remark plugin prior to versions 5.25.1 and 6.3.2 passes input through to the `gray-matter` npm package, which is vulnerable to JavaScript injection in its default configuration, unless input is sanitized. The vulnerability is present in gatsby-transformer-remark when passing input in data mode (querying MarkdownRemark nodes via GraphQL). Injected JavaScript executes in the context of the build server. To exploit this vulnerability untrusted/unsanitized input would need to be sourced by or added into a file processed by gatsby-transformer-remark. The following payload demonstrates a vulnerable configuration: ``` ---js ((require("child_process")).execSync("id >> /tmp/rce")) --- ``` ### Patches A patch has been introduced in `[email protected]` and `[email protected]` which mitigates the issue by disabling the `gray-matter` JavaScript Frontmatter engine. The patch introduces a new option, `JSFrontmatterEngine` which is ...

A vulnerability was found in Prestaul skeemas and classified as problematic. This issue affects some unknown processing of the file validators/base.js. The manipulation of the argument uri leads to inefficient regular expression complexity. The name of the patch is 65e94eda62dc8dc148ab3e59aa2ccc086ac448fd. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-218003.

A vulnerability was found in mholt PapaParse up to 5.1.x. It has been classified as problematic. Affected is an unknown function of the file papaparse.js. The manipulation leads to inefficient regular expression complexity. Upgrading to version 5.2.0 is able to address this issue. The name of the patch is 235a12758cd77266d2e98fd715f53536b34ad621. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-218004.

## Duplicate Advisory This advisory has been withdrawn because it is a duplicate of [GHSA-4xh4-v2pq-jvhm](https://github.com/advisories/GHSA-4xh4-v2pq-jvhm). This link is maintained to preserve external references. ## Original Description The personnummer implementation before 3.0.3 for Dart mishandles numbers in which the last four digits match the ^000[0-9]$ regular expression.

### Impact Gotify exposes an outdated instance of the [Swagger UI](https://swagger.io/tools/swagger-ui/) API documentation frontend at `/docs` which is susceptible to reflected XSS attacks when loading external Swagger config files. Specifically, the DOMPurify version included with this version of Swagger UI is vulnerable to a [rendering XSS](https://www.vidocsecurity.com/blog/hacking-swagger-ui-from-xss-to-account-takeovers/) incorporating the mutation payload detailed in [CVE-2020-26870](https://research.securitum.com/mutation-xss-via-mathml-mutation-dompurify-2-0-17-bypass/) which was patched in 2021. This is further tracked in the GitHub Advisory Database as GHSA-QRMM-W75W-3WPX. An attacker can execute arbitrary JavaScript and potentially take over the account of the user that clicked the link. Keep in mind, the Gotify UI won't natively expose such a malicious link, so an attacker has to get the user to open the malicious link in a context outside of Gotify. ### Patches The vu...

# Microsoft Security Advisory CVE-2023-21538: .NET Denial of Service Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends an invalid request to an exposed endpoint. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/80449 ### <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.12 or earlier. If your application uses the following package versions, en...

If the first post of a discussion is permanently deleted but the discussion stays visible, any actor who can view the discussion is able to create a new reply via the REST API, no matter the reply permission or lock status. This includes users that don't have a validated email. Guests cannot successfully create a reply because the API will fail with a 500 error when the user ID 0 is inserted into the database. This should also be fixed to return the expected 401/403 status. This happens because when the first post of a discussion is permanently deleted, the `first_post_id` attribute of the discussion becomes `null` which causes access control to be skipped for all new replies. Flarum automatically makes discussions with zero comments invisible so an additional condition for this vulnerability is that the discussion must have at least one approved reply so that `discussions.comment_count` is still above zero after the post deletion. ### Impact This can open the discussion to uncont...