Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-37x3-j9jq-vrjx: Dcat-Admin Cross-Site Scripting (XSS) vulnerability

Dcat-Admin v2.2.0-beta and v2.2.2-beta contains a Cross-Site Scripting (XSS) vulnerability via /admin/auth/menu and /admin/auth/extensions.

ghsa
Open in Source
#xss#vulnerability#auth
GHSA-9q34-7hfr-h8jm: Dcat Admin Cross-site Scripting (XSS) vulnerability

Dcat Admin v2.2.0-beta contains a cross-site scripting (XSS) vulnerability in /admin/articles/create.

GHSA-7p2g-2vxc-5g55: Letta (previously MemGPT) incorrect access control vulnerability

Incorrect access control in the /users endpoint of Cpacker MemGPT v0.3.17 allows attackers to access sensitive data.

GHSA-hqmp-g7ph-x543: TunnelVision - decloaking VPNs using DHCP

A new decloaking technique for nearly all VPN implementations has been found, which allows attackers to inject entries into the routing tables of unsuspecting victims using DHCP option 121. This allows attackers to redirect traffic, which is supposed to be sent encrypted over the VPN, through the physical interface handling DHCP for the network the victim's computer is connected to, effectively bypassing the VPN connection. ### Impact All users are potentially affected, as this attack vector can be used against _any_ VPN implementation without mitigations in place. ### Patches Currently, there are no existing mitigations employed by Quincy. ### Workarounds Disabling DHCP option 121 in the DHCP client is a potential workaround, as it prevents this kind of attack. ### References https://www.leviathansecurity.com/blog/tunnelvision

ghsa
Open in Source
GHSA-j5vv-6wjg-cfr8: changedetection.io Vulnerable to Improper Input Validation Leading to LFR/Path Traversal

### Summary Improper input validation in the application can allow attackers to perform local file read (LFR) or path traversal attacks. These vulnerabilities occur when user input is used to construct file paths without adequate sanitization or validation. For example, using `file:../../../etc/passwd` or `file: ///etc/passwd` can bypass weak validations and allow unauthorized access to sensitive files. Even though this has been addressed in previous patch, it is still insufficient. ### Details The check in this line of code is insufficient. ``` if re.search(r'^file:/', url.strip(), re.IGNORECASE): ``` The attacker can still bypass this by using: -`file:../../../../etc/passwd` -`file: ///etc/passwd` (with space before /) ### PoC - Open up a changedetection.io instance with a webdriver configured. - Create a new watch with `file:../../../../etc/passwd`. - Check the watch preview. - The contents of `/etc/passwd` should pop out. ### Screenshots ![image](https://github.com/user-attachme...

GHSA-qx95-cwh6-9mvq: TCPDF missing character escape on error messages

An issue was discovered in TCPDF before 6.8.0. The Error function lacks an htmlspecialchars call for the error message.

GHSA-w95c-7994-ghpr: TCPDF has incorrect comparison

An issue was discovered in TCPDF before 6.8.0. unserializeTCPDFtag uses != (aka loose comparison) and does not use a constant-time function to compare TCPDF tag hashes.

GHSA-9mgx-552f-59p6: TCPDF missing certificate validation

An issue was discovered in TCPDF before 6.8.0. If libcurl is used, CURLOPT_SSL_VERIFYHOST and CURLOPT_SSL_VERIFYPEER are set unsafely.

GHSA-4p8j-vhjm-6pvw: TCPDF lacks SVG sanitization

An issue was discovered in TCPDF before 6.8.0. setSVGStyles does not sanitize the SVG font-family attribute.

GHSA-grhh-r4jj-8jh7: tecnickcom/tc-lib-pdf-font mishandles fonts

An issue was discovered in tc-lib-pdf-font before 2.6.4, as used in TCPDF before 6.8.0 and other products. Fonts are mishandled, e.g., FontBBox for Type 1 and TrueType fonts is misparsed.