ghsa

Wouter Castryck and Thomas Decru presented an efficient key recovery attack on the SIDH protocol. As a result, the secret key of SIKEp751 can be recovered in a matter of hours. The SIKE and SIDH schemes will be removed from oqs 0.7.2. [An efficient key recovery attack on SIDH (preliminary version)](https://eprint.iacr.org/2022/975)

### Impact The functions `ECDSA.recover` and `ECDSA.tryRecover` are vulnerable to a kind of signature malleability due to accepting EIP-2098 compact signatures in addition to the traditional 65 byte signature format. This is only an issue for the functions that take a single `bytes` argument, and not the functions that take `r, v, s` or `r, vs` as separate arguments. The potentially affected contracts are those that implement signature reuse or replay protection by marking the signature itself as used rather than the signed message or a nonce included in it. A user may take a signature that has already been submitted, submit it again in a different form, and bypass this protection. ### Patches The issue has been patched in 4.7.3. ### For more information If you have any questions or comments about this advisory, or need assistance deploying a fix, email us at [[email protected]](mailto:[email protected]).

### Impact `undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js const undici = require("undici") undici.request({origin: "http://example.com", pathname: "//127.0.0.1"}) ``` Instead of processing the request as `http://example.org//127.0.0.1` (or `http://example.org/http://127.0.0.1` when `http://127.0.0.1 is used`), it actually processes the request as `http://127.0.0.1/` and sends it to `http://127.0.0.1`. If a developer passes in user input into `path` parameter of `undici.request`, it can result in an _SSRF_ as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL. ### Patches This issue was fixed in `[email protected]`. ### Workarounds The best workaround is to validate user input before passing it to the...

### Impact The default landing page contained HTML to display a sample `curl` command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from `window.location.href`. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript. This only affects Apollo Server with the [default landing page](https://www.apollographql.com/docs/apollo-server/api/plugin/landing-pages/) enabled. Old browsers visiting your server may be affected if ANY of these apply: - You do not pass any landing page plugin to the `plugins` option of `new ApolloServer`. - You pass `ApolloServerPluginLandingPageLocalDefault()` or `ApolloServerPluginLandingPageProductionDefault()` to the `plugins` option of `new ApolloServer`. Browsers visiting your server are NOT affect...

### Impact This issue concerns instances of Governor that use the module `GovernorVotesQuorumFraction`, a mechanism that determines quorum requirements as a percentage of the voting token's total supply. In affected instances, when a proposal is passed to lower the quorum requirement, past proposals may become executable if they had been defeated only due to lack of quorum, and the number of votes it received meets the new quorum requirement. Analysis of instances on chain found only one proposal that met this condition, and we are actively monitoring for new occurrences of this particular issue. ### Patches This issue has been patched in v4.7.2. ### Workarounds Avoid lowering quorum requirements if a past proposal was defeated for lack of quorum. ### References https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3561 ### For more information If you have any questions or comments about this advisory, or need assistance deploying the fix, email us at [security@openzepp...

### Impact py-cord is a an API wrapper for Discord written in Python. Bots using py-cord version 2.0.0 are vulnerable to remote shutdown if they are added to the server with the `application.commands` scope without the `bot` scope. Currently, it appears that all public bots that use slash commands are affected. ### Patches This issue has been patched in version 2.0.1. ### Workarounds There are currently no recommended workarounds - please upgrade to a patched version. ### References https://github.com/Pycord-Development/pycord/pull/1568 ### For more information If you have any questions or comments about this advisory: * Open an issue in [our GitHub](https://github.com/Pycord-Development/pycord) * Email us at [[email protected]](mailto:[email protected])

NotrinosERP version 0.7 and prior is vulnerable to stored cross-site scripting. A fix is available on the `master` branch of the repository.

Mingsoft MCMS 5.2.8 was discovered to contain a SQL injection vulnerability in /mdiy/model/delete URI via models Lists.

OctoPrint 1.7.3 and prior does not have rate limiting on the login page, making it possible for attackers to attempt brute force attacks. The severity of this issue is limited by OctoPrint normally running in a restricted LAN. The `devel` and `maintenance` branches of the repository have a fix that limits the rate of failed login attempts.

Cockpit Content Platform through version 2.2.1 is vulnerable to a two-factor authentication (2FA) bypass. The 2FA secret is disclosed in a JWT token after user logs into their account, allowing an attacker to bypass the 2FA code. A patch is available on the `develop` branch and is expected to be part of version 2.2.2.