#git

Applications that use UriComponentsBuilder to parse an externally provided URL (e.g. through a query parameter) AND perform validation checks on the host of the parsed URL may be vulnerable to a open redirect attack or to a SSRF attack if the URL is used after passing validation checks.

The ACME-challenge endpoint in Appwrite 0.5.0 through 0.12.x before 0.12.2 allows remote attackers to read arbitrary local files via ../ directory traversal. In order to be vulnerable, `APP_STORAGE_CERTIFICATES/.well-known/acme-challenge` must exist on disk. (This pathname is automatically created if the user chooses to install Let's Encrypt certificates via Appwrite.)

### Impact This security policy is with regards to a timing attack that allows users of Gradio apps to potentially guess the password of password-protected Gradio apps. This relies on the fact that string comparisons in Python terminate early, as soon as there is a string mismatch. Because Gradio apps are, by default, not rate-limited, a user could brute-force millions of guesses to figure out the correct username and password. ### Patches Yes, the problem has been patched in Gradio version 4.19.2 or higher. We have no knowledge of this exploit being used against users of Gradio applications, but we encourage all users to upgrade to Gradio 4.19.2 or higher. Fixed in: https://github.com/gradio-app/gradio/commit/e329f1fd38935213fe0e73962e8cbd5d3af6e87b

### Summary On all Label Studio versions prior to 1.11.0, data imported via file upload feature is not properly sanitized prior to being rendered within a [`Choices`](https://labelstud.io/tags/choices) or [`Labels`](https://labelstud.io/tags/labels) tag, resulting in an XSS vulnerability. ### Details Need permission to use the "data import" function. This was reproduced on Label Studio 1.10.1. ### PoC 1. Create a project.  2. Upload a file containing the payload using the "Upload Files" function.   The following are the contents of the files used in the PoC ``` { "data": { "prompt": "...

### Impact An attacker able to submit many ciphertexts against a single private key, and to get responses in real-time, could recover the private key. This vulnerability has been named KyberSlash. CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C ### Patches Version 0.0.6.1 and newer of PyPQC is patched. ### Workarounds No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes. ### References 1. This was partially patched ("KyberSlash 1") in the reference implementation by Peter Schwabe on December 1st, 2023. https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220 2. This was reported as a security vulnerability by Daniel J. Bernstein on December 15th, 2023. https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ 3. A webpage was stood up for authoritative reference about this by Daniel J. Bernstein on December 19th, 2023. htt...

### Impact All users of mjml-python who insert untrusted data into mjml templates unless that data is checked in a very strict manner. User input like `&lt;script&gt;` would be rendered as `<script>` in the final HTML output. The attacker must be able to control some data which is later injected in an mjml template which is then send out as email to other users. The attacker could control contents of email messages sent through the platform. ### Patches The problem has been fixed in version 0.11.0 of this library. Versions before 0.10.0 are not affected by this security issue which was added as part of commit 84c495da20a91640a1ca551ace17df7f3be644aa. ### Workarounds - Ensure that potentially untrusted user input does not contain any sequences which could be rendered as HTML. ### References - Initial issue report by @sh-at-cs in #52

There is a XSS Vulnerability in Site search Feature to baserCMS. ### Target baserCMS 5.0.8 and earlier versions ### Vulnerability Malicious code may be executed in Site search Feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_73283159

There is a OS command injection in Installer Feature to baserCMS. ### Target baserCMS 5.0.8 and earlier versions ### Vulnerability Malicious command may be executed in Installer. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_73283159

There is a XSS Vulnerability in Content Management Feature to baserCMS. ### Target baserCMS 5.0.8 and earlier versions ### Vulnerability Malicious code may be executed in Content Management Feature. ### Countermeasures Update to the latest version of baserCMS Please refer to the following page to reference for more information. https://basercms.net/security/JVN_73283159

A Helm contributor discovered uninitialized variable vulnerability when Helm parses index and plugin yaml files missing expected content. ### Impact When either an `index.yaml` file or a plugins `plugin.yaml` file were missing all metadata a panic would occur in Helm. In the Helm SDK this is found when using the `LoadIndexFile` or `DownloadIndexFile` functions in the `repo` package or the `LoadDir` function in the `plugin` package. For the Helm client this impacts functions around adding a repository and all Helm functions if a malicious plugin is added as Helm inspects all known plugins on each invocation. ### Patches This issue has been resolved in Helm v3.14.2. ### Workarounds If a malicious plugin has been added which is causing all Helm client commands to panic, the malicious plugin can be manually removed from the filesystem. If using Helm SDK versions prior to 3.14.2, calls to affected functions can use `recover` to catch the panic. ### For more information Helm's secu...