ghsa

### Impact There is a bug in Wasmtime's implementation of its pooling instance allocator when the allocator is configured to give WebAssembly instances a maximum of zero pages of memory. In this configuration the virtual memory mapping for WebAssembly memories did not meet the compiler-required configuration requirements for safely executing WebAssembly modules. Wasmtime's default settings require virtual memory page faults to indicate that wasm reads/writes are out-of-bounds, but the pooling allocator's configuration would not create an appropriate virtual memory mapping for this meaning out of bounds reads/writes can successfully read/write memory unrelated to the wasm sandbox within range of the base address of the memory mapping created by the pooling allocator. This bug can only be triggered by setting `InstanceLimits::memory_pages` to zero. This is expected to be a very rare configuration since this means that wasm modules cannot allocate any pages of linear memory. All wasm mo...

mm-wki v0.2.1 is vulnerable to Cross Site Scripting (XSS).

### Impact This vulnerability allowed a malicious user to serve arbitrary HTML files from the main application domain (readthedocs[.]org/readthedocs[.]com) by exploiting a vulnerability in the code that serves downloadable content from a project. Exploiting this would have required the attacker to get a logged-in user to visit the malicious URL, which would have allowed the attacker to take control of the user's session with JavaScript (making requests to the API/site on behalf of the user). This URL would have looked something like `hxxps[:]//readthedocs[.]org/projects/attacker-project/downloads/html/version-with-javascript-attack/`. ### Patches This issue has been patched in our 8.8.1 release.

# Impact _What kind of vulnerability is it? Who is impacted?_ This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature: - only projects with the dbAuth "forgot password" feature are affected - this vulnerability was introduced in v0.38.0 ## User Accounts are Vulnerable to Takeover (Hijacking) A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account. ## How to Determine if Projects have been Attacked To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts. If you have question or concerns, reach out via the "For More Informati...

### Impact A compromised Parse Server Cloud Code Webhook target endpoint allows an attacker to use prototype pollution to bypass the Parse Server `requestKeywordDenylist` option. ### Patches Improved keyword detection. ### Workarounds None. ### Collaborators Mikhail Shcherbakov, Cristian-Alexandru Staicu and Musard Balliu working with Trend Micro Zero Day Initiative

### Impact When following a redirect, Electron delays a check for redirecting to file:// URLs from other schemes. The contents of the file is not available to the renderer following the redirect, but if the redirect target is a SMB URL such as `file://some.website.com/`, then in some cases, Windows will connect to that server and attempt NTLM authentication, which can include sending hashed credentials. ### Patches This issue has been fixed in all current stable versions of Electron. Specifically, these versions contain the fixes: - 21.0.0-beta.1 - 20.0.1 - 19.0.11 - 18.3.7 We recommend all apps upgrade to the latest stable version of Electron. ### Workarounds If upgrading isn't possible, this issue can be addressed without upgrading by preventing redirects to file:// URLs in the `WebContents.on('will-redirect')` event, for all WebContents: ```js app.on('web-contents-created', (e, webContents) => { webContents.on('will-redirect', (e, url) => { if (/^file:/.test(url)) e.preve...

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the cleo PyPI package, when an attacker is able to supply arbitrary input to the Table.set_rows method.

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the snowflake-connector-python PyPI package, when an attacker is able to supply arbitrary input to the get_file_transfer_type method

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the pymatgen PyPI package, when an attacker is able to supply arbitrary input to the GaussianInput.from_string method

HashiCorp Nomad and Nomad Enterprise 1.4.0 up to 1.4.1 event stream subscribers using a token with TTL receive updates until token garbage is collected. Fixed in 1.4.2.