ghsa

# Microsoft Security Advisory CVE-2025-30399 | .NET Remote Code Vulnerability ## <a name="executive-summary"></a>Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. An attacker could exploit this vulnerability by placing files in particular locations, leading to unintended code execution. ## Discussion Discussion for this issue can be found at https://github.com/dotnet/runtime/issues/116495 ## <a name="mitigation-factors"></a>Mitigation factors Microsoft has not identified any mitigating factors for this vulnerability. ## <a name="affected-software"></a>Affected software * Any .NET 8.0 application running on .NET 8.0.16 or earlier. * Any .NET 9.0 application running on .NET 9.0.5 or earlier. ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any M...

Given this Hurl file: regex.hurl: ``` GET https://foo.com HTTP 200 [Asserts] jsonpath "$.body" matches /<img src="" onerror="alert('Hi!')">/ ``` When exported to HTML: ``` $ hurlfmt --out html regex.hurl <pre><code class="language-hurl"><span class="hurl-entry"><span class="request"><span class="line"><span class="method">GET</span> <span class="url">https://foo.com</span></span> </span><span class="response"><span class="line"><span class="version">HTTP</span> <span class="number">200</span></span> <span class="line"><span class="section-header">[Asserts]</span></span> <span class="line"><span class="query-type">jsonpath</span> <span class="string">"$.body"</span> <span class="predicate-type">matches</span> <span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span> </span></span><span class="line"></span> </code></pre> ``` The regex literal `/<img src="" onerror="alert('Hi!')">/` is not escaped: `<span class="regex">/<img src="" onerror="alert('Hi!')">/</span></span...

# CWA-2025-006: Improper error handling may lead to IBC channel opening despite error **Severity** High (Considerable + Likely)[^1] **Affected versions:** - wasmd 0.60.0 - wasmd >= 0.51.0 < 0.55.1 **Patched versions:** - wasmd 0.60.1, 0.55.1, 0.54.1, 0.53.3 ## Description of the bug A contract erroring during IBC channel opening does not prevent the channel from opening. ## Applying the patch The patch will be shipped in a wasmd release. You will also have to update `libwasmvm` if you build statically. If you already use the latest / close to latest wasmd, you can update more or less as follows: 1. Check the current wasmd version: `go list -m github.com/CosmWasm/wasmd` 2. Bump the `github.com/CosmWasm/wasmd` dependency in your go.mod to 0.60.1 (Cosmos SDK 0.53 compatible), 0.55.1 (Cosmos SDK 0.50 compatible), 0.54.1 or 0.53.3; `go mod tidy`; commit. 3. If you use the static libraries `libwasmvm_muslc.aarch64.a`/`libwasmvm_muslc.x86_64.a`, make sure that you use the same vers...

### Impact When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. ### Patches TBD ### Workarounds Configure `sslMode=verify-full` to prevent MITM attacks. ### References * https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256 * https://datatracker.ietf.org/doc/html/rfc7677 * https://datatracker.ietf.org/doc/html/rfc5802

Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

### Impact The CIRCL implementation of FourQ fails to validate user-supplied low-order points during Diffie-Hellman key exchange, potentially allowing attackers to force the identity point and compromise session security. Moreover, there is an incorrect point validation in ScalarMult can lead to incorrect results in the isEqual function and if a point is on the curve. ### Patches Version 1.6.1 (https://github.com/cloudflare/circl/tree/v1.6.1) mitigates the identified issues. We acknowledge Alon Livne (Botanica Software Labs) for the reported findings.

### Impact Files uploaded by users to Nautobot's `MEDIA_ROOT` directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. For DeviceType image attachments, a mitigating factor is that no URL endpoint exists for listing the contents of the `devicetype-images/` subdirectory, and the file names are as specified by the uploading user, so any given DeviceType image attachment can only be retrieved by correctly guessing its file name. Similarly, for all other image attachments, while the images *can* be listed by accessing the `/api/extras/image-attachments/` endpoint *as an authenticated user only*, absent that authenticated access, accessing the files would again require guessing file names correctly. ### Patches Nautobot v2.4.10 and v1...

### Summary Missing checks allow for SSRF to specific targets using the TestWfsPost enpoint. ### Mitigation To manage the proxy base value as a system administrator, use the parameter ``PROXY_BASE_URL`` to provide a non-empty value that cannot be overridden by the user interface or incoming request.[thomsmith](https://github.com/thomsmith). ### Resolution The TestWfsPost has been replaced in GeoServer 2.25.2 and GeoServer 2.24.4 with a JavaScript [Demo Requests](https://docs.geoserver.org/latest/en/user/configuration/demos/index.html#demo-requests) page to test OGC Web Services. ### References * [CVE-2024-29198](https://github.com/geoserver/geoserver/security/advisories/GHSA-5gw5-jccf-6hxw) Unauthenticated SSRF via TestWfsPost

### Impact _What kind of vulnerability is it? Who is impacted?_ All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot: 1. A malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered. 2. A malicious user could configure this feature set in ways that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ The vulnerability can be partially mitigated by configuring ...