#git

The encryption and decryption process were vulnerable against the Bleichenbacher's attack, which is a padding oracle vulnerability disclosed in the 98'. The issue was about the wrong padding utilized, which allowed to retrieve the encrypted content. The OPENSSL_PKCS1_PADDING version, aka PKCS v1.5 was vulnerable (is the one set by default when using openssl_* methods), while the PKCS v2.0 isn't anymore (it's also called OAEP). A fix for this vulnerability was merged at https://github.com/Cosmicist/AsymmetriCrypt/pull/5/commits/a0318cfc5022f2a7715322dba3ff91d475ace7c6.

In alterphp/easyadmin-extension-bundle, role based access rules do not handle action name case sensitivity which may lead to unauthorized access.

The ADOdb Library for PHP prior to version 5.20.11 is prone to SQL Injection vulnerability in multiple drivers.

pygmentize is prone to remote code execution due to an unsafe sanitazation of user input when passed to the `highlight` function.

### Impact This is a cross-site scripting vulnerability which affects every version of Mautic and could allow an attacker unauthorised administrator level access to Mautic. This vulnerability was reported by Naveen Sunkavally at Horizon3.ai. ### Patches Upgrade to 3.2.4 or 2.16.5. Link to patch for 2.x versions: https://github.com/mautic/mautic/compare/2.16.4...2.16.5.diff Link to patch for 3.x versions: https://github.com/mautic/mautic/compare/3.2.2...3.2.4.diff ### Workarounds None ### For more information If you have any questions or comments about this advisory: * Post in https://forum.mautic.org/c/support * Email us at [email protected]

### Summary Since #4787 the log output is printed on the INFO level, while previously it was logged on DEBUG. This means if the `go build` output is non-empty, goreleaser leaks the environment. ### PoC * Create a Go project with dependencies, do not pull them yet (or run goreleaser later in a container, or delete `$GOPATH/pkg`). * Make sure to have secrets set in the environment * Make sure to not have `go mod tidy` in a before hook * Run `goreleaser release --clean` * Go prints lots of `go: downloading ...` lines, which triggers the "if output not empty, log it" line, which includes the environment. ### Impact Credentials and tokens are leaked.

### Summary A low privilege user account with page edit privilege can read any server files using Twig Syntax. This includes Grav user account files - /grav/user/accounts/*.yaml. This file stores hashed user password, 2FA secret, and the password reset token. This can allow an adversary to compromise any registered account by resetting a password for a user to get access to the password reset token from the file or by cracking the hashed password. ### Proof Of Concept `{{ read_file('/var/www/html/grav/user/accounts/riri.yaml') }}` Use the above Twig template syntax in a page and observe that the administrator riri's authentication details are exposed accessible by any unauthenticated user.  As an additional proof of concept for reading system files, observe the `/etc/passwd` file read using the following Twig syntax: `{{ read_file('/etc/passwd') }}` ![file-read-etc-passwd](http...

### Impact SQL injection is possible when using the non-default connection property `preferQueryMode=simple` in combination with application code which has a vulnerable SQL that negates a parameter value. There is no vulnerability in the driver when using the default, extended query mode. Note that `preferQueryMode` is not a supported parameter in Redshift JDBC driver, and is inherited code from Postgres JDBC driver. Users who do not override default settings to utilize this unsupported query mode are not affected. ### Patch This issue is patched in driver version 2.1.0.28. ### Workarounds Do not use the connection property `preferQueryMode=simple`. (NOTE: If you do not explicitly specify a query mode, then you are using the default of extended query mode and are not affected by this issue.) ### References Similar to finding in Postgres JDBC: https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-24rp-q3w6-vc56 If you have any questions or comments about this advisory, we a...

### Impact When source-controller is configured to use an [Azure SAS token](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure-blob-sas-token-example) when connecting to Azure Blob Storage, the token was logged along with the Azure URL when the controller encountered a connection error. An attacker with access to the source-controller logs could use the token to gain access to the Azure Blob Storage until the token expires. ### Patches This vulnerability was fixed in source-controller **v1.2.5**. ### Workarounds There is no workaround for this vulnerability except for using a different auth mechanism such as [Azure Workload Identity](https://v2-2.docs.fluxcd.io/flux/components/source/buckets/#azure). ### Credits This issue was reported and fixed by Jagpreet Singh Tamber (@jagpreetstamber) from the Azure Arc team. ### References https://github.com/fluxcd/source-controller/pull/1430 ### For more information If you have any questions or comments about this advis...

Cacti versions 1.2.26 and below suffer from a remote code execution execution vulnerability in import.php.