ghsa

### Impact Attackers can deserialize arbitrary data on affected versions of `melisplatform/melis-front`, and ultimately leads to the execution of arbitrary PHP code on the system. Conducting this attack does not require authentication. Users should immediately upgrade to `melisplatform/melis-front` >= 5.0.1. ### Patches This issue was addressed by restricting allowed classes when deserializing user-controlled data. ### References - https://github.com/melisplatform/melis-front/commit/89ae612d5f1f7aa2fb621ee8de27dffe1feb851e ### For more information If you have any questions or comments about this advisory, you can contact: - The original reporters, by sending an email to vulnerability.research [at] sonarsource.com; - The maintainers, by opening an issue on this repository.

### Impact A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as @xmldom/xmldom) package before 0.8.3. ### Patches Update to `@xmldom/[email protected]` or higher or to `@xmldom/[email protected]` or higher if you are on the dist-tag `next`. ### Workarounds No, if you can not update to v0.8.3, please let us know, we would be able to also provide a patch update for version 0.7.x if required. ### References https://github.com/xmldom/xmldom/pull/437 ### For more information If you have any questions or comments about this advisory: * Email us at [email protected] * Add information to https://github.com/xmldom/xmldom/issue/436

### Observation To handle dependencies that come from a Git repository, Poetry executes various commands, e.g. `git config`. These commands are being executed using the executable’s name and not its absolute path. This can lead to the execution of untrusted code due to the way Windows resolves executable names to paths. Unlike Linux-based operating systems, Windows searches for the executable in the current directory first and looks in the paths that are defined in the `PATH` environment variable afterward. If the current directory contains unknown and thus potentially malicious files, the directory could contain an executable named `git.exe` which would be executed by Poetry. Poetry calls executables by name when handling dependencies from Git. Note that there might be even more places where Poetry calls executables by name. ### Impact This vulnerability can lead to Arbitrary Code Execution, which would lead to the takeover of the system. If a developer is exploited, the attacker...

OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decrypti...

In AdGuardHome, versions v0.95 through v0.108.0-b.13 are vulnerable to Cross-Site Request Forgery (CSRF), in the custom filtering rules functionality. An attacker can persuade an authorized user to follow a malicious link, resulting in deleting/modifying the custom filtering rules. The file that contains the vulnerable code is no longer present as of v0.108.0-b.16.

mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.

In Gogs, versions v0.6.5 through v0.12.10 are vulnerable to Stored Cross-Site Scripting (XSS) that leads to an account takeover.

Metro UI v4.4.0 to v4.5.1 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Javascript function. User input is not properly sanitized before rendering in the `textarea` component.

### Impact An attacker can send an invalid `Content-Type` header that can cause the application to crash, leading to a possible Denial of Service attack. Only the v4.x line is affected. (This was updated: upon a close inspection, v3.x is not affected after all). ### Patches Yes, update to `> v4.8.0`. ### Workarounds You can reject the malicious content types before the body parser enters in action. ```js const badNames = Object.getOwnPropertyNames({}.__proto__) fastify.addHook('onRequest', async (req, reply) => { for (const badName of badNames) { if (req.headers['content-type'].indexOf(badName) > -1) { reply.code(415) throw new Error('Content type not supported') } } }) ``` ### References See the HackerOne report [#1715536](https://hackerone.com/bugs?report_id=1715536&subject=fastify) ### For more information [Fastify security policy](https://github.com/fastify/fastify/security/policy)

### Impact There is a potential vulnerability in Traefik managing HTTP/2 connections. A closing HTTP/2 server connection could hang forever because of a subsequent fatal error. This failure mode could be exploited to cause a denial of service. ### Patches Traefik v2.8.x: https://github.com/traefik/traefik/releases/tag/v2.8.8 Traefik v2.9.x: https://github.com/traefik/traefik/releases/tag/v2.9.0-rc5 ### Workarounds No workaround. ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).