Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-c5hq-35h7-r9x4: usememos/memos Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

ghsa
#csrf#vulnerability#git
GHSA-rmhx-9h5h-3xh3: usememos/memos vulnerable to stored Cross-site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-gxqf-4g4p-q3hc: usememos/memos vulnerable to stored Cross-site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-pwhr-p68w-296x: usememos/memos vulnerable to stored Cross-site Scripting

Cross-site Scripting (XSS) - Stored in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-642q-2q68-9j3p: usememos/memos Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-vh43-cc6x-prpr: usememos/memos vulnerable to Improper Verification of Source of a Communication Channel

Improper Verification of Source of a Communication Channel in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-r7hg-2cpp-8wqq: usememos/memos has Incorrectly Specified Destination in a Communication Channel

Incorrectly Specified Destination in a Communication Channel in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-gw9m-2m5v-c6x5: usememos/memos Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-cwrm-33qq-4w2x: usememos/memos Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery (CSRF) in GitHub repository usememos/memos 0.9.0 and prior.

GHSA-9c47-m6qq-7p4h: Prototype Pollution in JSON5 via Parse Method

The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. ## Impact This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. ## Mitigation This vulnerability is patched in json v2.2.2 and...