ghsa

### Summary The `WriteBind()` method in `src/Npgsql/Internal/NpgsqlConnector.FrontendMessages.cs` uses `int` variables to store the message length and the sum of parameter lengths. Both variables overflow when the sum of parameter lengths becomes too large. This causes Npgsql to write a message size that is too small when constructing a Postgres protocol message to send it over the network to the database. When parsing the message, the database will only read a small number of bytes and treat any following bytes as new messages while they belong to the old message. Attackers can abuse this to inject arbitrary Postgres protocol messages into the connection, leading to the execution of arbitrary SQL statements on the application's behalf. ### Details Please see [this attached PDF file](https://github.com/npgsql/npgsql/files/14309386/Npgsql.Security.Advisory.pdf) for a detailed description, including the suspected root cause, exploitation steps, impact, and recommendations on for fixin...

### Impact XML External entity injections could be possible, when running the provided XML Validator on arbitrary input. #### POC ```js const { Spec: { Version }, Validation: { XmlValidator } } = require('@cyclonedx/cyclonedx-library'); const version = Version.v1dot5; const validator = new XmlValidator(version); const input = `<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE poc [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <bom xmlns="http://cyclonedx.org/schema/bom/1.5"> <components> <component type="library"> <name>testing</name> <version>1.337</version> <licenses> <license> <id>&xxe;</id><!-- << XML external entity (XXE) injection --> </license> </licenses> </component> </components> </bom>`; // validating this forged(^) input might lead to unintended behaviour // for the fact that the XML external entity would be taken into account. validator.validate(input).then(ve => { console.error('validation error', v...

### Impact Some specifically configured Spin applications that use `self` requests without a specified URL authority can be induced to make requests to arbitrary hosts via the `Host` HTTP header. If an application's manifest contains a component with configuration such as ```toml allowed_outbound_hosts = ["http://self", "https://self"] ``` and code such as ```rust let res: Response = spin_sdk::http::send( Request::new(Method::Get, "/") // Note: the request URI does not contain a URL authority ).await?; ``` Then that application can be induced to send an outgoing request to another host (leading the app to process the response assuming it comes from another component in the same application). This can be induced with a request such as ```shell curl -H"Host: google.com:80" localhost:3000 # Assuming the application is served on localhost:3000 ``` > Note: If using a SDK that does not use `wasi:http/outgoing-handler`, the port can be omitted from the URL. #### Vulnerable Conf...

Deserialization of Untrusted Data vulnerability in Apache InLong. This issue affects Apache InLong: from 1.7.0 through 1.11.0. The attackers can bypass using malicious parameters. Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it. [1] https://github.com/apache/inlong/pull/9694 [2]  https://github.com/apache/inlong/pull/9707

The Deno sandbox may be unexpectedly weakened by allowing file read/write access to privileged files in various locations on Unix and Windows platforms. For example, reading `/proc/self/environ` may provide access equivalent to `--allow-env`, and writing `/proc/self/mem` may provide access equivalent to `--allow-all`. Users who grant read and write access to the entire filesystem may not realize that these access to these files may have additional, unintended consequences. The documentation did not reflect that this practice should be undertaken to increase the strength of the security sandbox. ### Impact Users who run code with `--allow-read` or `--allow-write` may unexpectedly end up granting additional permissions via file-system operations. ### Patches Deno 1.43 and above require explicit `--allow-all` access to read or write `/etc`, `/dev` on unix platform (as well as `/proc` and `/sys` on linux platforms), and any path starting with `\\` on Windows. ### Workarounds The se...

### Summary When executing the following simple query, the `vtgate` will go into an endless loop that also keeps consuming memory and eventually will OOM. ### Details When running the following query, the `evalengine` will try evaluate it and runs forever. ``` select _utf16 0xFF ``` The source of the bug lies in the collation logic that we have. The bug applies to all `utf16`, `utf32` and `ucs2` encodings. In general, the bug is there for any encoding where the minimal byte length for a single character is more than 1 byte. The decoding functions for these collations all implement logic like the following to enforce the minimal character length: https://github.com/vitessio/vitess/blob/8f6cfaaa643a08dc111395a75a2d250ee746cfa8/go/mysql/collations/charset/unicode/utf16.go#L69-L71 The problem is that all the callers of `DecodeRune` expect progress by returning the number of bytes consumed. This means that if there's only 1 byte left in an input, it will here return still `0` and ...

The Cypher component in Neo4j before 5.19.0 mishandles IMMUTABLE privileges.

A vulnerability was found in Kimai up to 2.15.0 and classified as problematic. Affected by this issue is some unknown functionality of the component Session Handler. The manipulation of the argument PHPSESSIONID leads to information disclosure. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. Upgrading to version 2.16.0 is able to address this issue. It is recommended to upgrade the affected component. VDB-263318 is the identifier assigned to this vulnerability.

Cross-site scripting (XSS) vulnerability in the search function in MvnRepository MS Basic 2.1.18.3 and earlier.

The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. **Vulnerable Versions**: Up to 2.1.0 **Fixed Version**: 2.1.1 **Vector**: - **Bug 1**: When copying content manipulated by a script, such as: ```js document.addEventListener('copy', function(e){ e.clipboardData.setData('text/html', '<div><noscript><div class="123</noscript>456<img src=1 onerror=alert(1)//"></div></noscript></div>'); e.preventDefault(); }); ``` and pasting into the Trix editor, the script within the content is executed. - **Bug 2**: Similar execution occurs with content structured as: ```js document.write(`copy<div data-trix-attachment="{&quot;contentType&quot;:&quot;text/html&quot;,&quot;content&quot;:&quot;&l...