ghsa

### Impact The admin and monitor user groups need to be authenticated by username and password. If we delete the X-Requested-With: XMLHttpRequest field in the request header,the authentication will be bypassed. ### Patches https://github.com/brockercap/Bifrost/pull/201 ### Workarounds Upgrade to the latest version

### Impact Shipping rule edit page is vulnerable to cross site scripting (XSS) payload added to UPS Surcharge field. The attacker should have permission to create or edit a shipping rule.

Mobile Security Framework (MobSF) v0.9.2 and below was discovered to contain a local file inclusion (LFI) vulnerability in the `StaticAnalyzer/views.py` script. This vulnerability allows attackers to read arbitrary files via a crafted HTTP request.

### Summary Nokogiri v1.13.9 upgrades the packaged version of its dependency libxml2 to [v2.10.3](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.10.3) from v2.9.14. libxml2 v2.10.3 addresses the following known vulnerabilities: - [CVE-2022-2309](https://nvd.nist.gov/vuln/detail/CVE-2022-2309) - [CVE-2022-40304](https://nvd.nist.gov/vuln/detail/CVE-2022-40304) - [CVE-2022-40303](https://nvd.nist.gov/vuln/detail/CVE-2022-40303) Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.9`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` release announcements. ### Mitigation Upgrade to Nokogiri `>= 1.13.9`. Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link Nokogiri against external libraries libxml2 `>= 2.10.3` which w...

### Impact In Dataease, the Mysql data source in the data source function can customize the JDBC connection parameters and the Mysql server target to be connected.  In `backend/src/main/java/io/dataease/provider/datasource/JdbcProvider.java`, MysqlConfiguration class don't filter any parameters, directly concat user input. ```java @Getter @Setter public class MysqlConfiguration extends JdbcConfiguration { private String driver = "com.mysql.jdbc.Driver"; private String extraParams = "characterEncoding=UTF-8&connectTimeout=5000&useSSL=false&allowPublicKeyRetrieval=true&zeroDateTimeBehavior=convertToNull"; public String getJdbc() { if(StringUtils.isEmpty(extraParams.trim())){ return "jdbc:mysql://HOSTNAME:PORT/DATABASE" .replace("HOSTNAME", getHost().trim()) .replace("PORT", get...

### Impact This vulnerability affects IBC transfers due to a security vulnerability dubbed "Dragonberry" upstream in [Cosmos SDK](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9). The vulnerability could allow malicious attackers to compromise chain-to-chain IBC transfers. There is no vulnerability in the DID/resource modules for cheqd-node. ### Patches Node operators are requested to upgrade to [cheqd-node v0.6.9](https://github.com/cheqd/cheqd-node/releases/tag/0.6.9) as soon as possible. Installation instructions are in the release notes. Please do not install any beta/pre-release versions. ### Workarounds No. The patch takes effect when more than 2/3rds of the voting power of the cheqd network has upgraded to this patch. An emergency hotfix was released previously under v0.6.8 but this is now deprecated since [Cosmos SDK v0.45.9](https://github.com/cosmos/cosmos-sdk/releases/tag/v0.45.9) officially fixes this upstream. ### References - [IBC Security Advisory on "Drag...

#### Impact `@keystone-6/[email protected] || 2.3.0` users who are using the `multiselect` field, and provided field-level access control - are vulnerable to their field-level access control not being used. List-level access control is **NOT** affected. Field-level access control for fields other than `multiselect` are **NOT** affected. Example, **you are vulnerable if** you are using field-level access control on a `multiselect` like the following: ```ts const yourList = list({ access: { // this is list-level access control, this is NOT impacted }, fields: { yourFieldName: multiselect({ // this is field-level access control, for multiselect fields // this is vulnerable access: { create: ({ session }) => session?.data.isAdmin, update: ({ session }) => session?.data.isAdmin, }, options: [ { value: 'apples', label: 'Apples' }, { value: 'oranges', label: 'Oranges' }, ], // ... }), // ... }, ...

### Impact Parse Server crashes when a file download request is received with an invalid byte range. ### Patches Improved parsing of the range parameter to properly handle invalid range requests. ### Workarounds None ### References - [GHSA-h423-w6qv-2wj3](https://github.com/parse-community/parse-server/security/advisories/GHSA-h423-w6qv-2wj3)

socket/transport.ex in Phoenix before 1.6.14 mishandles check_origin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token.

In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject to a potential denial of service attack via the locale parameter, which is treated as a regular expression.