ghsa

# Unauthorized Reflected XSS in the constructor of the `Downloader` class **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/download.php` script, an attacker can perform a XSS-type attack **Impact**: execution of arbitrary JavaScript code in the browser **Vulnerable component**: the constructor of the `Downloader` class **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the `name` and `type` variables **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in the constructor of the `Downloader` class) in Phpspreadsheet. ...

The Trix editor, versions prior to 2.1.11, is vulnerable to XSS when pasting malicious code in the link field. ### Impact An attacker could trick the user to copy&paste a malicious `javascript:` URL as a link that would execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed. See https://gist.github.com/th4s1s/3921fd9c3e324ad9a3e0d846166e3eb8 ### Patches Update Recommendation: Users should upgrade to Trix editor version 2.1.12 or later. ### Workarounds This is not really a workaround but something that should be considered in addition to upgrading to the patched version. If affected users can disallow browsers that don't support a Content Security Policy, then this would be an effective workaround for this and all XSS vulnerabilities. Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin are executed, and explicitly p...

### Summary A **arbitrary file deletion vulnerability** has been identified in the latest version of Siyuan Note. The vulnerability exists in the `POST /api/history/getDocHistoryContent` endpoint.An attacker can craft a payload to exploit this vulnerability, resulting in the deletion of arbitrary files on the server. ### Details The vulnerability can be reproduced by sending a crafted request to the `/api/history/getDocHistoryContent` endpoint. Sending a request to the `/api/history/getDocHistoryContent` like: ``` curl "http://127.0.0.1:6806/api/history/getDocHistoryContent" -X POST -H "Content-Type: application/json" -d '{"historyPath":"<abs_filepath_of_a_file>"}' ``` Replace `<abs_filepath_of_a_file>` with the absolute file path of the target file you wish to delete. The `historyPath` parameter in the payload is processed by the `func getDocHistoryContent` in `api/history.go:133`. In turn, `historyPath` is passed to the `func GetDocHistoryContent` located in `model/history....

### Impact _What kind of vulnerability is it? Who is impacted?_ Both in karmadactl and karmada-operator, it is possible to supply a filesystem path, or an HTTP(s) URL to retrieve the custom resource definitions(CRDs) needed by karmada. The CRDs are downloaded as a gzipped tarfile and are vulnerable to a TarSlip vulnerability. An attacker able to supply a malicious CRD file into a karmada initialization could write arbitrary files in arbitrary paths of the filesystem. ### Patches _Has the problem been patched? What versions should users upgrade to?_ From karmada version v1.12.0, when processing custom CRDs files, CRDs archive verification is utilized to enhance file system robustness. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ When using `karmadactl init` to set up Karmada, if you need to set flag `--crd` to customize the CRD files required for karmada initialization, you can manually inspect the CRD files to check whether th...

### Impact _What kind of vulnerability is it? Who is impacted?_ The [PULL](https://karmada.io/docs/next/userguide/clustermanager/cluster-registration#pull-mode) mode clusters registered with the `karmadactl register` command have excessive privileges to access control plane resources. By abusing these permissions, an attacker able to authenticate as the karmada-agent to a karmada cluster would be able to obtain administrative privileges over the entire federation system including all registered member clusters. ### Patches _Has the problem been patched? What versions should users upgrade to?_ Since Karmada v1.12.0, command `karmadactl register` restricts the access permissions of pull mode member clusters to control plane resources. This way, an attacker able to authenticate as the karmada-agent cannot control other member clusters in Karmada. ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ Restricts the access permissions of pu...

# Unauthorized Reflected XSS in `Convert-Online.php` file **Product**: Phpspreadsheet **Version**: version 3.6.0 **CWE-ID**: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') **CVSS vector v.3.1**: 8.2 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N) **CVSS vector v.4.0**: 8.3 (AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:L/SI:H/SA:L) **Description**: using the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` script, an attacker can perform a XSS-type attack **Impact**: executing arbitrary JavaScript code in the browser **Vulnerable component**: the `/vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php` file **Exploitation conditions**: an unauthorized user **Mitigation**: sanitization of the quantity variable **Researcher**: Aleksey Solovev (Positive Technologies) # Research The researcher discovered zero-day vulnerability Unauthorized Reflected Cross-Site Scripting (XSS) (in `Convert-Online.php` file) in Php...

### Summary Due to insufficient validation on the content of new FAQ posts, it is possible for authenticated users to inject malicious HTML or JavaScript code that can impact other users viewing the FAQ. This vulnerability arises when user-provided inputs in FAQ entries are not sanitized or escaped before being rendered on the page. ### Details An attacker can inject malicious HTML content into the FAQ editor at http://localhost/admin/index.php?action=editentry, resulting in a complete disruption of the FAQ page's user interface. By injecting malformed HTML elements styled to cover the entire screen, an attacker can render the page unusable. This injection manipulates the page structure by introducing overlapping buttons, images, and iframes, breaking the intended layout and functionality. ### PoC 1. In the source code of a FAQ Q&A post, insert the likes of this snippet: ``` <p>&lt;--`<img src="&#96;"> --!&gt;</p> <div style="position: absolute; top: 0; left: 0; width: 100%; height...

A security issue was discovered in the LRA Coordinator component of Narayana. When Cancel is called in LRA, an execution time of approximately 2 seconds occurs. If Join is called with the same LRA ID within that timeframe, the application may crash or hang indefinitely, leading to a denial of service.

### Summary This is a POC for a path-sanitizer [npm package](https://www.npmjs.com/package/path-sanitizer). The filters can be bypassed and can result in path traversal. Payload: `..=%5c` can be used to bypass this on CLI (along with other candidates). Something similar would likely work on web apps as well. ### PoC Here's the code to test for the filter bypass: ```js const sanitize = require("path-sanitizer") const path = require("path") const fs = require("fs") // Real scenario: function routeHandler(myPath) { // Lets just assume that the path was extracted from the request // We want to read a file in the C:\Users\user\Desktop\myApp\ directory // But the user should be able to access C:\Users\user\Desktop\ // So we need to sanitize the path const APP_DIR = "/var/hacker" const sanitized = path.join(APP_DIR, sanitize(myPath)) // Now we would usally read the file // But in this case we just gonna print the path // console.log(sanitized) return sanitized } fu...

A flaw was found in the Hive ClusterDeployments resource in OpenShift Dedicated. In certain conditions, this issue may allow a developer account on a Hive-enabled cluster to obtain cluster-admin privileges by executing arbitrary commands on the hive/hive-controllers pod.