ghsa

### Impact Reflected XSS vulnerabilities in two templates allow an attacker to execute malicious JavaScript code in the context of the victim's session by getting the victim to visit an attacker-controlled URL. PoC URLs are `/xwiki/bin/view/Main/?xpage=job_status_json&jobId=asdf&translationPrefix=<img src=1 onerror=alert(document.domain)>` and `/xwiki/bin/view/Main/?xpage=distribution&extensionId=%3Cimg src=x onerror=alert(document.domain)%3E&extensionVersionConstraint=%3Cimg src=x onerror=alert(document.domain)%3E`. This allows the attacker to perform arbitrary actions using the permissions of the victim. ### Patches The problem has been patched in XWiki 16.4.8, 16.10.6 and 17.3.0RC1 by adding escaping in the affected templates. ### Workarounds The affected templates can be patched manually in the WAR by applying the same changes as in [the patch](https://github.com/xwiki/xwiki-platform/commit/e5926a938cbecc8b1eaa48053d8d370cff107cb0). ### Attribution The vulnerability involving `...

An issue in ThinkPHP Framework v.5.1 allows a remote attacker to execute arbitrary code via the routecheck function.

### Impact This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. ### Patches Fixed as of version 2.6.4 ### Workarounds No.

### Description When using Fiber's `Ctx.BodyParser` to parse form data containing a large numeric key that represents a slice index (e.g., `test.18446744073704`), the application crashes due to an out-of-bounds slice allocation in the underlying schema decoder. The root cause is that the decoder attempts to allocate a slice of length `idx + 1` without validating whether the index is within a safe or reasonable range. If `idx` is excessively large, this leads to an integer overflow or memory exhaustion, causing a panic or crash. ### Steps to Reproduce Create a POST request handler that accepts `x-www-form-urlencoded` data ```go package main import ( "fmt" "net/http" "github.com/gofiber/fiber/v2" ) type RequestBody struct { NestedContent []*struct{} `form:"test"` } func main() { app := fiber.New() app.Post("/", func(c *fiber.Ctx) error { formData := RequestBody{} if err := c.BodyParser(&formData); err != nil { fmt.Println(err) return c.SendStatus(http.StatusUnp...

### Summary A command injection vulnerability exists in the `mcp-package-docs` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes tools to access documentation for several types of packages. An MCP Client can be instructed to execute additional actions for example via prompt injection when asked to read package documentation. Below some example of vulnerable code and different ways to test this vulnerability including a real example of indirect prompt injection that can lead to arbitrary command injection. ### Vulnerable...

The vulnerable code can bypass the Captcha check in Liferay Portal 7.4.3.80 through 7.4.3.132, and Liferay DXP 2024.Q1.1 through 2024.Q1.19, 2024.Q2.0 through 2024.Q2.13, 2024.Q3.0 through 2024.Q3.13, 2024.Q4.0 through 2024.Q4.7, 2025.Q1.0 through 2025.Q1.15 and 7.4 update 80 through update 92 and then attackers can run scripts in the Gogo shell

### Summary * When an attacker obtains the backend login path of RatPanel (including but not limited to weak default paths, brute-force cracking, etc.), they can execute system commands or take over hosts managed by the panel **without logging in**. * In addition to this **remote code execution (RCE) vulnerability**, the flawed code also leads to **unauthorized access**. ### Details In Go, `r.URL.Path` retrieves the part of the URL that comes after the port and before the query parameters or anchor symbols. For example, in the URL `http://localhost:8080/api/ws/ssh?id=1`, the retrieved path would be `/api/ws/ssh`. However, if the request is made to `http://localhost:8080//api/ws/ssh?id=1`, the parsed `r.URL.Path` would be `//api/ws/ssh`. RatPanel uses the `CleanPath` middleware provided by `github.com/go-chi/chi` package to clean URLs, The route path inside the chi router will be cleaned to `/api/ws/ssh`, but this middleware does not process `r.URL.Path`, so the path is still `//a...

### Summary The channel window adjust message of the SSH protocol is used to track the free space in the receive buffer of the other side of a channel. The current implementation takes the value from the message and adds it to an internal state value. This can result in a integer overflow. If the Rust code is compiled with overflow checks, it will panic. A malicious client can crash a server. ### Details According https://datatracker.ietf.org/doc/html/rfc4254#section-5.2, The value must not overflow. The incorrect handling is done in server/encrypted.rs and client/encrypted.rs in the handling of CHANNEL_WINDOW_ADJUST. ``` let amount = map_err!(u32::decode(&mut r))?; ... channel.recipient_window_size += amount; ``` It could be replaced with something like ``` if let Some(ref mut channel) = enc.channels.get_mut(&channel_num) { // rfc 4254: The window MUST NOT be increased above 2^32 - 1 bytes. new_size = channel.recipient_window...

A prototype pollution vulnerability in `js-toml` allows a remote attacker to add or modify properties of the global `Object.prototype` by parsing a maliciously crafted TOML input. ### Impact The `js-toml` library is vulnerable to Prototype Pollution. When parsing a TOML string containing the specially crafted key `__proto__`, an attacker can add or modify properties on the global `Object.prototype`. While the `js-toml` library itself does not contain known vulnerable "gadgets", this can lead to severe security vulnerabilities in applications that use the library. For example, if the consuming application checks for the existence of a property for authorization purposes (e.g., `user.isAdmin`), this vulnerability could be escalated to an authentication bypass. Other potential impacts in the application include Denial of Service (DoS) or, in some cases, Remote Code Execution (RCE), depending on the application's logic and dependencies. Any application that uses an affected version of ...

### Summary **Path Traversal in pyLoad-ng CNL Blueprint via `package` parameter allows Arbitrary File Write leading to Remote Code Execution (RCE)** The `addcrypted` endpoint in `pyload-ng` suffers from an unsafe path construction vulnerability, allowing unauthenticated attackers to write arbitrary files outside the designated storage directory. This can be abused to overwrite critical system files, including cron jobs and systemd services, leading to privilege escalation and remote code execution as root. ### Details * **Endpoint**: `POST /addcrypted` * **Issue**: `src/pyload/webui/app/blueprints/cnl_blueprint.py` #### Vulnerable Code ```python dlc_path = os.path.join( dl_path, package.replace("/", "").replace("\\", "").replace(":", "") + ".dlc" ) dlc = flask.request.form["crypted"].replace(" ", "+") with open(dlc_path, mode="wb") as fp: ``` ### PoC ```http POST /addcrypted HTTP/1.1 Host: localhost:8000 Content-Type: application/x-www-form-urlencoded Content-Length:...