ghsa

An issue in the component src/api/identity.rs of Vaultwarden prior to v1.32.5 allows attackers to impersonate users, including Administrators, via a crafted authorization request.

Vaultwarden v1.32.5 was discovered to contain an authenticated reflected cross-site scripting (XSS) vulnerability via the component /api/core/mod.rs.

**Vulnerability Summary** A type confusion vulnerability exists in Strawberry GraphQL's relay integration that affects multiple ORM integrations (Django, SQLAlchemy, Pydantic). The vulnerability occurs when multiple GraphQL types are mapped to the same underlying model while using the relay `node` interface. **Affected Components** - Strawberry GraphQL relay integration - Specifically impacts implementations using: - Django integration - SQLAlchemy integration - Pydantic integration **Technical Details** The vulnerability manifests when: 1. Multiple GraphQL types inherit from `relay.Node` 2. These types are mapped to the same database model 3. The global `node` field is used for type resolution Example of vulnerable code: ```python from fruits.models import Fruit import strawberry_django import strawberry @strawberry_django.type(Fruit) class FruitType(relay.Node): name: strawberry.auto @strawberry_django.type(Fruit) class SpecialFruitType(relay.Node): secret_name: ...

### Impact The project's provided HTTP client's local JWK Set cache should do a full replacement when the goroutine refreshes the remote JWK Set. The current behavior is to overwrite or append. This is a security issue for use cases that utilize the provided auto-caching HTTP client and where key removal from a JWK Set is equivalent to revocation. Example attack scenario: 1. An attacker has stolen the private key for a key published in JWK Set. 2. The publishers of that JWK Set remove that key from the JWK Set. 3. Enough time has passed that the program using the auto-caching HTTP client found in `github.com/MicahParks/jwkset` v0.5.0-v0.5.21 has elapsed its `HTTPClientStorageOptions.RefreshInterval` duration, causing a refresh of the remote JWK Set. 4. The attacker is signing content (such as JWTs) with the stolen private key and the system has no other forms of revocation. ### Patches The affected auto-caching HTTP client was added in version `v0.5.0` and fixed in `v0.6.0`. Upgrade ...

A vulnerability was found in pgadmin. Users logging into pgAdmin running in server mode using LDAP authentication may be attached to another user's session if multiple connection attempts occur simultaneously.

Mattermost versions 9.11.x <= 9.11.5 fail to enforce invite permissions, which allows team admins, with no permission to invite users to their team, to invite users by updating the "allow_open_invite" field via making their team public.

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

Mattermost versions 10.2.0, 9.11.x <= 9.11.5, 10.0.x <= 10.0.3, 10.1.x <= 10.1.3 fail to properly validate post types, which allows attackers to deny service to users with the sysconsole_read_plugins permission via creating a post with the custom_pl_notification type and specific props.

SickChill is an automatic video library manager for TV shows. A user-controlled `login` endpoint's `next_` parameter takes arbitrary content. Prior to commit c7128a8946c3701df95c285810eb75b2de18bf82, an authenticated attacker may use this to redirect the user to arbitrary destinations, leading to open redirect. Commit c7128a8946c3701df95c285810eb75b2de18bf82 changes the login page to redirect to `settings.DEFAULT_PAGE` instead of to the `next` parameter.

### Impact Application passing unsanitized user input to `Carbon::setLocale` are at risk of arbitrary file include, if the application allows users to upload files with `.php` extension in an folder that allows `include` or `require` to read it, then they are at risk of arbitrary code ran on their servers. ### Patches - [3.8.4](https://github.com/briannesbitt/Carbon/releases/tag/3.8.4) - [2.72.6](https://github.com/briannesbitt/Carbon/releases/tag/2.72.6) ### Workarounds Any of the below actions can be taken to prevent the issue: - Validate input before calling `setLocale()`, for instance by forbidding or removing `/` and `\` - Call `setLocale()` only with a locale from a whitelist of supported locales - When uploading files, rename them so they cannot have a `.php` extension (this is recommended even if you're not affected by this issue) - Prefer storage system that are not local to the application (remote service, or local service ran by another user so the uploaded files actually ...