Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-3j7m-5g4q-gfpc: TinyEnv: Missing .env file not required — may cause unexpected behavior

### Impact TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to **unexpected behavior** where the application silently ignores missing configuration, potentially causing insecure defaults or deployment misconfigurations. Affected versions: - **1.0.1 → 1.0.2** - **1.0.9 → 1.0.10** ### Patches The issue has been fixed in **version 1.0.11**. All users should upgrade to `1.0.11` or later. ### Workarounds As a workaround, users can manually verify the existence of the `.env` file before initializing TinyEnv, for example: ```php if (!file_exists(__DIR__ . '/.env')) { throw new RuntimeException('.env file is missing!'); }

ghsa
#git#php
GHSA-g4jq-h2w9-997c: Vite middleware may serve files starting with the same name with the public directory

### Summary Files starting with the same name with the public directory were served bypassing the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host)) - uses [the public directory feature](https://vite.dev/guide/assets.html#the-public-directory) (enabled by default) - a symlink exists in the public directory ### Details The [servePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L79) function is in charge of serving public files from the server. It returns the [viteServePublicMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L106) function which runs the needed tests and serves the page. The viteSer...

GHSA-jqfw-vq24-v9c3: Vite's `server.fs` settings were not applied to HTML files

### Summary Any HTML files on the machine were served regardless of the `server.fs` settings. ### Impact Only apps that match the following conditions are affected: - explicitly exposes the Vite dev server to the network (using --host or [server.host config option](https://vitejs.dev/config/server-options.html#server-host)) - `appType: 'spa'` (default) or `appType: 'mpa'` is used This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served. ### Details The [serveStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L123) function is in charge of serving static files from the server. It returns the [viteServeStaticMiddleware](https://github.com/vitejs/vite/blob/9719497adec4ad5ead21cafa19a324bb1d480194/packages/vite/src/node/server/middlewares/static.ts#L136) function which runs the needed tests and serves the page. The...

GHSA-vgmm-27fc-vmgp: Maho is Vulnerable to Authenticated Remote Code Execution via File Upload

### Summary In Maho 25.7.0, an authenticated staff user with access to the `Dashboard` and `Catalog\Manage Products` permissions can create a custom option on a listing with a file input field. By allowing file uploads with a `.php` extension, the user can use the filed to upload malicious PHP files, gaining remote code execution ### Details An user with the `Dashboard` and `Catalog\Manage Products` permissions can abuse the product custom options feature to bypass the application’s file upload restrictions. When creating a product custom option of type file upload, the user is allowed to define their own extension whitelist. This bypasses the application’s normal enforced whitelist and permits disallowed extensions, including `.php`. The file uploaded by the custom option is then written to a predictable location: ``` /public/media/custom_options/<first char of filename>/<second char of filename>/<md5 of file contents>.php ``` Because this path is directly accessible under the app...

GHSA-455v-w7r9-3vv9: Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity

### Overview A security review of the Cattown identified multiple weaknesses that could potentially impact its stability and security. ### Affected Versions - All versions below 1.0.2 ### Description of Vulnerabilities 1. CWE-1333: Inefficient Regular Expression Complexity The package used regular expressions with inefficient, potentially exponential worst-case complexity. This can cause excessive CPU usage due to excessive backtracking on crafted inputs, potentially leading to denial of service. 2. CWE-400: Uncontrolled Resource Consumption (Resource Exhaustion) The package was vulnerable to resource exhaustion, where processing malicious inputs could cause high CPU or memory usage, potentially leading to denial of service. ### Impact - Trigger excessive CPU consumption leading to denial of service - Cause resource exhaustion affecting service availability - Bypass protection mechanisms causing unexpected or insecure behavior ### Resolution These vulnerabilities have been fixed in...

GHSA-rf24-wg77-gq7w: listmonk: CSRF to XSS Chain can Lead to Admin Account Takeover

### Summary Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a little help of social engineering (such as sending a link via email or chat), an attacker may trick the users of a web application into executing actions of the attacker’s choosing. If the victim is a normal user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the victim is an administrative account, CSRF can compromise the entire web application. ### Details During a security evaluation of the webapp, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to be processed correctly. This may seem harmless, but if chained to other vulnerabilities it can become a critical vulnerabi...

GHSA-49mj-x8jp-qvfc: OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload

### Impact OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an **authenticated** attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename becomes included in a command defined in a system event handler and said event gets triggered. If no event handlers executing system commands with uploaded filenames as parameters have been configured, this vulnerability does not have an impact. ### Patches The vulnerability will be patched in version 1.11.3. ### Workaround Until the patch has been applied, OctoPrint administrators who have event handlers configured that include any kind of filename based placeholders (i.e. `{__filename}`, `{__filepath}`, `{filename}`, `{path}`, etc -- refer to [the events documentation](https://docs.octoprint.org/en/master/events/index.html#placeholders) for a full list) should disable those by setting their `enabled` property to `False` or unchecking the "Enab...

GHSA-93mf-426m-g6x9: CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion

# Summary The CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling cache pinning for very long periods. This can effectively cause a denial of service for DNS updates/changes to affected services. # Details In `plugin/etcd/etcd.go`, the `TTL()` function casts the 64-bit etcd lease ID to a uint32 and uses it as the TTL: ```go func (e *Etcd) TTL(kv *mvccpb.KeyValue, serv *msg.Service) uint32 { etcdTTL := uint32(kv.Lease) // BUG: Lease ID != TTL duration // ... rest of function uses etcdTTL as actual TTL } ``` Lease IDs are identifiers, not durations. Large lease IDs can produce very large TTLs after truncation, causing downstream resolvers and clients to cache answers for years. This enables cache pinning attacks, such as: 1. Attacker has etcd write access (compromised service account, misconfigured RBAC/TLS, exposed etcd, insider). 2. Attacker writes/updates a key and attaches any lease (the actual lease ...

GHSA-5m5x-9j46-h678: Element Plus Link component (el-link) implements insufficient input validation for the href attribute

Element Plus Link component (el-link) prior to 2.11.0 implements insufficient input validation for the href attribute, creating a security abstraction gap that obscures URL-based attack vectors. The component passes user-controlled href values directly to underlying anchor elements without protocol validation, URL sanitization, or security headers. This allows attackers to inject malicious URLs using dangerous protocols (javascript:, data:, file:) or redirect users to external malicious sites. While native HTML anchor elements present similar risks, UI component libraries bear additional responsibility for implementing security safeguards and providing clear risk documentation. The vulnerability enables XSS attacks, phishing campaigns, and open redirect exploits affecting applications that use Element Plus Link components with user-controlled or untrusted URL inputs.

GHSA-3vcp-r62v-xpvg: Apache DolphinScheduler vulnerable to Alert Script Attack

Improper Input Validation vulnerability in Apache DolphinScheduler. An authenticated user can execute any shell script server by alert script. This issue affects Apache DolphinScheduler: before 3.2.2. Users are recommended to upgrade to version 3.3.1, which fixes the issue.