ghsa

Versions of the package djangorestframework before 3.15.2 are vulnerable to Cross-site Scripting (XSS) via the break_long_headers template filter due to improper input sanitization before splitting and joining with <br> tags.

### Impact Documentation generated with `pdoc --math` linked to JavaScript files from polyfill.io. The polyfill.io CDN has been sold and now serves malicious code. Users who produce documentation with math mode should update immediately. All other users are unaffected. ### Patches This issue has been fixed in pdoc 14.5.1. ### References https://github.com/mitmproxy/pdoc/pull/703 https://sansec.io/research/polyfill-supply-chain-attack ### Timeline - **[2024-06-25]** https://sansec.io/research/polyfill-supply-chain-attack is published. - **[2024-06-25 20:54 UTC]** Issue reported to the pdoc project by @adhintz. - **[2024-06-25 21:33 UTC]** Patched version released. - **[2024-06-25 21:37 UTC]** Security advisory published.

HashiCorp’s go-getter library can be coerced into executing Git update on an existing maliciously modified Git Configuration, potentially leading to arbitrary code execution. When go-getter is performing a Git operation, go-getter will try to clone the given repository in a specified destination. Cloning initializes a git config to the provided destination and if the repository needs to get updated go-getter will pull the new changes . An attacker may alter the Git config after the cloning step to set an arbitrary Git configuration to achieve code execution.

### Impact Debug information can reveal sensitive information from environment variables in error log ### Affected platform Laravel environments with multi-vendor setups and admin access for the vendors

### Impact In DSpace 7.0 through 7.6.1, when an HTML, XML or JavaScript Bitstream is downloaded, the user's browser _may_ execute any embedded JavaScript. If that embedded JavaScript is malicious, there is a risk of an XSS attack. This attack may only be initialized by a user who already has Submitter privileges in the repository. The submitter must upload the malicious HTML/XML/JavaScript file themselves. The attack itself would not occur until a different authenticated user downloads the malicious file. CORS and CSRF protection built into DSpace help to limit the impact of the attack (and may block it in some scenarios). If the repository is configured to only download HTML / XML / JavaScript Bitstreams using the [`Content-Disposition: attachment`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Disposition) header, then the attack is no longer possible. See "Workarounds" below. ### Patches The fix is included in both 8.0 and 7.6.2. Please upgrade to one of t...

### Impact Before deserializing CycloneDX Bill of Materials in XML format, _cyclonedx-core-java_ leverages XPath expressions to determine the schema version of the BOM. The `DocumentBuilderFactory` used to evaluate XPath expressions was not configured securely, making the library vulnerable to XML External Entity (XXE) injection. XXE injection can be exploited to exfiltrate local file content, or perform Server Side Request Forgery (SSRF) to access infrastructure adjacent to the vulnerable application. ### PoC ```java import org.cyclonedx.parsers.XmlParser; class Poc { public static void main(String[] args) { // Will throw org.cyclonedx.exception.ParseException: java.net.ConnectException: Connection refused new XmlParser().parse(""" <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE bom [<!ENTITY % sp SYSTEM "https://localhost:1010/does-not-exist/file.dtd"> %sp;]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"/> ...

go-retryablehttp prior to 0.7.7 did not sanitize urls when writing them to its log file. This could lead to go-retryablehttp writing sensitive HTTP basic auth credentials to its log file. This vulnerability, CVE-2024-6104, was fixed in go-retryablehttp 0.7.7.

### Impact The content of a document included using `{{include reference="targetdocument"/}}` is executed with the right of the includer and not with the right of its author. This means that any user able to modify the target document can impersonate the author of the content which used the `include` macro. ### Patches This has been patched in XWiki 15.0 RC1 by making the default behavior safe. ### Workarounds Make sure to protect any included document to make sure only allowed users can modify it. A workaround have been provided in 14.10.2 to allow forcing to execute the included content with the target content author instead of the default behavior. See https://extensions.xwiki.org/xwiki/bin/view/Extension/Include%20Macro#HAuthor for more details. ### References https://jira.xwiki.org/browse/XWIKI-5027 https://jira.xwiki.org/browse/XWIKI-20471 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Jira XWiki.org](https://j...

## Summary ZIP files uploaded to the server-side endpoint handling a `CodeChecker store` are not properly sanitized. An attacker can exercise a path traversal to make the `CodeChecker server` load and display files from an arbitrary location on the server machine. ## Details ### Target The vulnerable endpoint is `/<PRODUCT_URL>/v6.53/CodeCheckerService@massStoreRun`. ### Exploit overview The attack is made possible by improper sanitization at one point in the process. 1. When the ZIP file is uploaded by `CodeChecker store`, it is first unzipped to a temporary directory (safely). 2. When deciding which files to insert into CodeChecker's internal database, the decision is made based on the `content_hashes.json` in the ZIP. An attacker has control over the contents of this file. 3. After reading that file, the paths specified in the JSON are normalized by this code: https://github.com/Ericsson/codechecker/blob/fa41e4e5d9566b5a4f5a80a27bddec73a5146f5a/web/server/codechecker_server/a...

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Apache StreamPipes user self-registration and password recovery mechanism. This allows an attacker to guess the recovery token in a reasonable time and thereby to take over the attacked user's account. This issue affects Apache StreamPipes: from 0.69.0 through 0.93.0. Users are recommended to upgrade to version 0.95.0, which fixes the issue.