ghsa

### Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. ### Workarounds Check that you are not using sensitive variables in module sources and versions, as well as backend configurations. The patch will add explicit errors and prevent this from being possible. ### Examples ```hcl variable "backend_path" { type = string sensitive = true } terraform { backend "local" { path = var.backend_path } } ``` ```hcl variable "mod_info" { type = string sensitive = true } module "foo" { source = var.mod_info //version = var.mod_info } ```

### Impact Configuration supplied through `APP_CONFIG_*` environment variables, for example `APP_CONFIG_backend_listen_port=7007`, where unexpectedly ignoring the visibility defined in configuration schema. This occurred even if the configuration schema specified that they should have backend or secret visibility. This was an intended feature of the `APP_CONFIG_*` way of supplying configuration, but now clearly goes against the expected behavior of the configuration system. This behavior leads to a risk of potentially exposing sensitive configuration details intended to remain private or restricted to backend processes. ### Patches The issue has been resolved in version `0.3.75` of the `@backstage/plugin-app-backend` package. Users are encouraged to upgrade to this version to mitigate the vulnerability. ### Workarounds As a temporary measure, avoid supplying secrets using the `APP_CONFIG_` configuration pattern. Consider alternative methods for setting secrets, such as the [enviro...

`JUJU_CONTEXT_ID` is the authentication measure on the unit hook tool abstract domain socket. It looks like `JUJU_CONTEXT_ID=appname/0-update-status-6073989428498739633`. This value looks fairly unpredictable, but due to the random source used, it is highly predictable. `JUJU_CONTEXT_ID` has the following components: - the application name - the unit number - the hook being currently run - a uint63 decimal number On a system the application name and unit number can be deduced by reading the structure of the filesystem. The current hook being run is not easily deduce-able, but is a limited set of possible values, so one could try them all. Finally the random number, this is generated from a non cryptographically secure random source. Specifically the random number generator built into the go standard library, using the current unix time in seconds (at startup) as the seed. There is no rate limiting on the abstract domain socket, the only limiting factor is time (window of time the h...

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The `org.apache.commons.io.input.XmlStreamReader` class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Schema parsing in the Java SDK of Apache Avro 1.11.3 and previous versions allows bad actors to execute arbitrary code. Users are recommended to upgrade to version 1.11.4  or 1.12.0, which fix this issue.

### Impact We've identified a vulnerability in the Pomerium databroker service API that may grant unintended access under specific conditions. This affects only certain Pomerium Zero and Pomerium Enterprise deployments. #### Who is affected? A Pomerium deployment is susceptible to this issue if _all_ of the following conditions are met: - You have issued a [service account](https://www.pomerium.com/docs/capabilities/service-accounts) access token using Pomerium Zero or Pomerium Enterprise. - The access token has an explicit expiration date in the future. - The core Pomerium databroker gRPC API is not otherwise secured by network access controls. If your deployment does not meet _all_ of these conditions, you are not affected by this vulnerability. #### Details The Pomerium databroker service is responsible for managing all persistent Pomerium application state. Requests to the databroker service API are authorized by the presence of a JSON Web Token (JWT) signed by a key known by...

Contao 5.4.1 allows an authenticated admin account to upload a SVG file containing malicious javascript code into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted javascript to the target.

October 3.6.30 allows an authenticated admin account to upload a PDF file containing malicious JavaScript into the target system. If the file is accessed through the website, it could lead to a Cross-Site Scripting (XSS) attack or execute arbitrary code via a crafted JavaScript to the target.

Zenario 9.7.61188 allows authenticated admin users to upload PDF files containing malicious code into the target system. If the PDF file is accessed through the website, it can trigger a Cross Site Scripting (XSS) attack.

Zenario 9.7.61188 is vulnerable to Cross Site Scripting (XSS) in the Image library via the "Organizer tags" field.