#git

The codehighlight extension bundles a vulnerable version of the 3rd party JavaScript component “prism” which is known to be vulnerable against Regular expression Denial of Service (ReDoS).

amphp/http versions before 1.0.1 allows an attacker to supply invalid input in the Host header which may lead to various type of Host header injection attacks.

In artax version before 1.0.6 and 2 before 2.0.6, cookies of `foo.bar.example.com` were leaked to `foo.bar`. Additionally, any site could set cookies for any other site. Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.

amphp/http-client has a security weakness that might leak sensitive request headers from the initial request to the redirected host on cross-domain redirects, which were not removed correctly. `Message::setHeaders` does not replace the entire set of headers, but only operates on the headers matching the given array keys.

The encryption and decryption process were vulnerable against the Bleichenbacher's attack, which is a padding oracle vulnerability disclosed in the 98'. The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content. The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn't anymore (it's also called OAEP). A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.

In alterphp/easyadmin-extension-bundle, role based access rules do not handle action name case sensitivity which may lead to unauthorized access.

The ADOdb Library for PHP prior to version 5.20.11 is prone to SQL Injection vulnerability in multiple drivers.

pygmentize is prone to remote code execution due to an unsafe sanitazation of user input when passed to the `highlight` function.

### Impact This is a cross-site scripting vulnerability which affects every version of Mautic and could allow an attacker unauthorised administrator level access to Mautic. This vulnerability was reported by Naveen Sunkavally at Horizon3.ai. ### Patches Upgrade to 3.2.4 or 2.16.5. Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Post in https://forum.mautic.org/c/support * Email us at [email protected]

### Summary Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the `go build` output is non-empty, goreleaser leaks the environment. ### PoC * Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete `$GOPATH/pkg`). * Make sure to have secrets set in the environment * Make sure to not have `go mod tidy` in a before hook * Run `goreleaser release --clean` * Go prints lots of `go: downloading ...` lines, which triggers the "if output not empty, log it" line, which includes the environment. ### Impact Credentials and tokens are leaked.