Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-cchp-3rq6-69wj: events2 TYPO3 extension insecure direct object reference (IDOR) vulnerability

An issue was discovered in the events2 (aka Events 2) extension before 8.3.8 and 9.x before 9.0.6 for TYPO3. Missing access checks in the management plugin lead to an insecure direct object reference (IDOR) vulnerability with the potential to activate or delete various events for unauthenticated users.

ghsa
Open in Source
#vulnerability#git#auth
GHSA-jg62-h7pv-hxgv: FriendlyCaptcha Plugin for TYPO3 Captcha Check Bypass

An issue was discovered in the friendlycaptcha_official (aka Integration of Friendly Captcha) extension before 0.1.4 for TYPO3. The extension fails to check the requirement of the captcha field in submitted form data, allowing a remote user to bypass the captcha check. This only affects the captcha integration for the ext:form extension.

GHSA-v2xm-76pq-phcf: ClassGraph XML External Entity Reference

ClassGraph before 4.8.112 was not resistant to XML eXternal Entity (XXE) attacks.

GHSA-9gxx-58q6-42p7: Lightning Network Daemon (LND)'s onion processing logic leads to a denial of service

### Impact A parsing vulnerability in lnd's onion processing logic led to a DoS vector due to excessive memory allocation. ### Patches The issue was patched in lnd [v0.17.0](https://github.com/lightningnetwork/lnd/releases/tag/v0.17.0-beta). Users should update to a version >= v0.17.0 to be protected. ### References Detailed blog post: https://morehouse.github.io/lightning/lnd-onion-bomb/ Developer discussion: https://delvingbitcoin.org/t/dos-disclosure-lnd-onion-bomb/979

GHSA-h95x-26f3-88hr: js2py allows remote code execution

An issue in the component `js2py.disable_pyimport()` of js2py up to v0.74 allows attackers to execute arbitrary code via a crafted API call.

GHSA-grjv-gjgr-66g2: SpiceDB exclusions can result in no permission returned when permission expected

### Background Use of an exclusion under an arrow that has multiple resources may resolve to `NO_PERMISSION` when permission is expected. For example, given this schema: ```zed definition user {} definition folder { relation member: user relation banned: user permission view = member - banned } definition resource { relation folder: folder permission view = folder->view } ``` If the resource exists under *multiple* folders and the user has access to view more than a single folder, SpiceDB may report the user does not have access due to a failure in the exclusion dispatcher to request that *all* the folders in which the user is a member be returned ### Impact Permission is returned as `NO_PERMISSION` when `PERMISSION` is expected on the `CheckPermission` API. ### Workarounds None

GHSA-rvj4-q8q5-8grf: ACME DNS: Azure Identity Libraries Elevation of Privilege Vulnerability

### Impact There is a vulnerability in [Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2024-35255). ### References - [CVE-2024-35255](https://nvd.nist.gov/vuln/detail/CVE-2024-35255) ### Patches - https://github.com/traefik/traefik/releases/tag/v2.11.5 - https://github.com/traefik/traefik/releases/tag/v3.0.3 ### Workarounds No workaround. ### For more information If you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).

GHSA-j584-j2vj-3f93: XWiki Platform allows remote code execution from user account

### Impact When an admin disables a user account, the user's profile is executed with the admin's rights. This allows a user to place malicious code in the user profile before getting an admin to disable the user account. To reproduce, as a user without script nor programming rights, edit the about section of your user profile and add `{{groovy}}services.logging.getLogger("attacker").error("Hello from Groovy!"){{/groovy}}`. As an admin, go to the user profile and click the "Disable this account" button. Then, reload the page. If the logs show `attacker - Hello from Groovy!` then the instance is vulnerable. ### Patches This has been patched in XWiki 14.10.21, 15.5.5, 15.10.6 and 16.0.0. ### Workarounds We're not aware of any workaround except upgrading. ### References * https://jira.xwiki.org/browse/XWIKI-21611 * https://github.com/xwiki/xwiki-platform/commit/f89c8f47fad6e5cc7e68c69a7e0acde07f5eed5a

GHSA-hw5f-6wvv-xcrh: SFTPGo has insufficient access control for password reset

### Impact SFTPGo WebAdmin and WebClient support password reset. This feature is disabled in the default configuration. In SFTPGo versions prior to v2.6.1, if the feature is enabled, even users with access restrictions (e.g. expired) can reset their password and log in. ### Patches Fixed in v2.6.1. ### Workarounds The following workarounds are available: - keep the password reset feature disabled. - Set a blank email address for users and admins with access restrictions so they cannot receive the email with the reset code and exploit the vulnerability.

GHSA-9442-gm4v-r222: Undertow's url-encoded request path information can be broken on ajp-listener

A vulnerability was found in Undertow. URL-encoded request path information can be broken for concurrent requests on ajp-listener, causing the wrong path to be processed and resulting in a possible denial of service.