#js

Pimcore is an Open Source Data & Experience Management Platform. In affected versions the `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value. Any backend user with very basic permissions can execute arbitrary SQL statements and thus alter any data or escalate their privileges to at least admin level. This vulnerability has been addressed in version 11.1.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.

### Summary User input passed directly into an SQL statement allows (non-admin) backend users to execute arbitrary SQL statements. ### Details The `/admin/object/grid-proxy` endpoint calls `getFilterCondition()` on fields of classes to be filtered for at https://github.com/pimcore/admin-ui-classic-bundle/blob/bba7c7419cb1f06d5fd98781eab4d6995e4e5dca/src/Helper/GridHelperService.php#L311, passing input from the request, and later executes the returned SQL. One implementation of `getFilterCondition()` is in `Multiselect`, which does not normalize/escape/validate the passed value: https://github.com/pimcore/pimcore/blob/42b6cfa77c4540205bdd10689893ccb73e4bac8f/models/DataObject/ClassDefinition/Data/Multiselect.php#L285-L312 ### PoC * Set up an example project as described on https://pimcore.com/docs/platform/Pimcore/Getting_Started/Installation/Docker_Based_Installation (demo package with example content) * Enter the backend and add a new user without admin privileges, but the "Objec...

### Impact The Generic Extractor in yt-dlp is vulnerable to an attacker setting an arbitrary proxy for a request to an arbitrary url, allowing the attacker to MITM the request made from yt-dlp's HTTP session. This could lead to cookie exfiltration in some cases. <details> To pass extra control data between extractors (such as headers like `Referer`), yt-dlp employs a concept of "url smuggling". This works by adding this extra data as json to the url fragment ("smuggling") that is then passed on to an extractor. The receiving extractor then "unsmuggles" the data from the input url. This functionality is intended to be internal only. Currently, the Generic extractor supports receiving an arbitrary dictionary of HTTP headers in a smuggled url, of which it extracts and adds them to the initial request it makes to such url. This is useful when a url sent to the Generic extractor needs a `Referer` header sent with it, for example. Additionally, yt-dlp has internal headers to set a proxy ...

Red Hat Security Advisory 2023-7216-01 - Red Hat OpenShift Service Mesh 2.4.5 Containers. Issues addressed include a cross site scripting vulnerability.

Red Hat Security Advisory 2023-7215-01 - Red Hat OpenShift Service Mesh 2.2.12 Containers. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7213-01 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2023-7207-01 - An update for c-ares is now available for Red Hat Enterprise Linux 8. Issues addressed include a buffer over-read vulnerability.

Red Hat Security Advisory 2023-7205-01 - An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 8. Issues addressed include denial of service and traversal vulnerabilities.

Red Hat Security Advisory 2023-7202-01 - An update for the container-tools:4.0 module is now available for Red Hat Enterprise Linux 8.

Red Hat Security Advisory 2023-7190-01 - An update for avahi is now available for Red Hat Enterprise Linux 8.