#git

## Summary It is possible to introduce user-controlled JavaScript code and trigger a Cross-Site Scripting (XSS) vulnerability in some cases. ## Actions Taken - Updated the documentation to clarify that while `ghtml` escapes characters with special meaning in HTML, it does not provide comprehensive protection against all types of XSS attacks in every scenario. **_This aligns with the approach taken by other template engines. Developers should be cautious and take additional measures to sanitize user input and prevent potential vulnerabilities._** More reading: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - The backtick character (`) is now also escaped to prevent the creation of strings in most cases where a malicious actor somehow gains the ability to write JavaScript. This does not provide comprehensive protection either.

### Impact The `status`, `reinstall` and `remove` commands with packages installed from source via git containing specially crafted branch names in the repository can be used to execute code. ### Patches 2.2.24 for 2.2 LTS or 2.7.7 for mainline ### Workarounds Avoid installing dependencies via git by using `--prefer-dist` or the `preferred-install: dist` config setting.

### Impact The `composer install` command running inside a git/hg repository which has specially crafted branch names can lead to command injection. So this requires cloning untrusted repositories. ### Patches 2.2.24 for 2.2 LTS or 2.7.7 for mainline ### Workarounds Avoid cloning potentially compromised repositories.

Langflow through 0.6.19 allows remote code execution if untrusted users are able to reach the "POST /api/v1/custom_component" endpoint and provide a Python script.

Pseudonymous masking has made credit card transactions more secure, but Visa has even greater plans for tokenization: giving users control of their data.

The tranche of data, lifted from underprotected GitHub repositories, reportedly includes source code, though the country's paper of record has not yet confirmed the nature of the data accessed.

### Impact In the OCI Distribution Specification version 1.0.0 and prior and in the OCI Image Specification version 1.0.1 and prior, manifest and index documents are ambiguous without an accompanying Content-Type HTTP header. Versions of Moby (Docker Engine) prior to 20.10.11 treat the Content-Type header as trusted and deserialize the document according to that header. If the Content-Type header changed between pulls of the same ambiguous document (with the same digest), the document may be interpreted differently, meaning that the digest alone is insufficient to unambiguously identify the content of the image. ### Patches This issue has been fixed in Moby (Docker Engine) 20.10.11. Image pulls for manifests that contain a “manifests” field or indices which contain a “layers” field are rejected. ### Workarounds Ensure you only pull images from trusted sources. ### References https://github.com/opencontainers/distribution-spec/security/advisories/GHSA-mc8v-mgrf-8f4m https://github...

## Impact A bug was found in the Docker CLI where running `docker login my-private-registry.example.com` with a misconfigured configuration file (typically `~/.docker/config.json`) listing a `credsStore` or `credHelpers` that could not be executed would result in any provided credentials being sent to `registry-1.docker.io` rather than the intended private registry. ## Patches This bug has been fixed in Docker CLI 20.10.9. Users should update to this version as soon as possible. ## Workarounds Ensure that any configured `credsStore` or `credHelpers` entries in the configuration file reference an installed credential helper that is executable and on the `PATH`. ## For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/docker/cli/issues/new/choose) * Email us at [email protected] if you think you’ve found a security bug

## Impact A bug was found in Moby (Docker Engine) where attempting to copy files using `docker cp` into a specially-crafted container can result in Unix file permission changes for existing files in the host’s filesystem, widening access to others. This bug does not directly allow files to be read, modified, or executed without an additional cooperating process. ## Patches This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers do not need to be restarted. ## Workarounds Ensure you only run trusted containers. ## Credits The Moby project would like to thank Lei Wang and Ruizhi Xiao for responsibly disclosing this issue in accordance with the [Moby security policy](https://github.com/moby/moby/blob/master/SECURITY.md). ## For more information If you have any questions or comments about this advisory: * [Open an issue](https://github.com/moby/moby/issues/new) * Email us at  [email protected]  if you th...

A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability.