ghsa

### Summary A critical SQL Injection vulnerability exists in the `getLast` API functionality of the eKuiper project. This flaw allows unauthenticated remote attackers to execute arbitrary SQL statements on the underlying SQLite database by manipulating the table name input in an API request. Exploitation can lead to data theft, corruption, or deletion, and full database compromise. ### Details The root cause lies in the use of unsanitized user-controlled input when constructing SQL queries using `fmt.Sprintf`, without validating the `table` parameter. Specifically, in: ```go query := fmt.Sprintf("SELECT * FROM %s ORDER BY rowid DESC LIMIT 1", table) ``` Any value passed as the `table` parameter is directly interpolated into the SQL string, enabling injection attacks. This is reachable via API interfaces that expose time-series queries. ### PoC 1. **Deploy eKuiper instance** (default config is sufficient). 2. **Send a crafted request to the SQL query endpoint**: ```bash curl -X ...

### Summary Infinite lines occur when writing during a specific XMP file conversion command ### Details ``` #0 GetXmpNumeratorAndDenominator (denominator=<optimized out>, numerator=<optimized out>, value=<optimized out>) at MagickCore/profile.c:2578 #1 GetXmpNumeratorAndDenominator (denominator=<synthetic pointer>, numerator=<synthetic pointer>, value=720000000000000) at MagickCore/profile.c:2564 #2 SyncXmpProfile (image=image@entry=0x555555bb9ea0, profile=0x555555b9d020) at MagickCore/profile.c:2605 #3 0x00005555555db5cf in SyncImageProfiles (image=image@entry=0x555555bb9ea0) at MagickCore/profile.c:2651 #4 0x0000555555798d4f in WriteImage (image_info=image_info@entry=0x555555bc2050, image=image@entry=0x555555bb9ea0, exception=exception@entry=0x555555b7bea0) at MagickCore/constitute.c:1288 #5 0x0000555555799862 in WriteImages (image_info=image_info@entry=0x555555bb69c0, images=<optimized out>, images@entry=0x555555bb9ea0, filename=<optimized out>, exception=0x555555b7bea0) at Ma...

A cross-site scripting (XSS) vulnerability in the component /blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into a blog post.

### Summary A critical vulnerability exists in the form-data package used by `axios@1.10.0`. The issue allows an attacker to predict multipart boundary values generated using `Math.random()`, opening the door to HTTP parameter pollution or injection attacks. This was submitted in [issue #6969](https://github.com/axios/axios/issues/6969) and addressed in [pull request #6970](https://github.com/axios/axios/pull/6970). ### Details The vulnerable package `form-data@4.0.0` is used by `axios@1.10.0` as a transitive dependency. It uses non-secure, deterministic randomness (`Math.random()`) to generate multipart boundary strings. This flaw is tracked under [Snyk Advisory SNYK-JS-FORMDATA-10841150](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150) and [CVE-2025-7783](https://security.snyk.io/vuln/SNYK-JS-FORMDATA-10841150). Affected `form-data` versions: - <2.5.4 - >=3.0.0 <3.0.4 - >=4.0.0 <4.0.4 Since `axios@1.10.0` pulls in `form-data@4.0.0`, it is exposed to this issue. ### PoC...

### Impact Administrator users on Harbor could exploit an ORM Leak (https://www.elttam.com/blog/plormbing-your-django-orm/) vulnerability that was present in the `/api/v2.0/users` endpoint to leak users' password hash and salt values. This vulnerability was introduced into the application because the `q` URL parameter allowed the administrator to filter users by any column, and the filter `password=~` could be abused to leak out a user's password hash character by character. An attacker with administrator access could exploit this vulnerability to leak highly sensitive information stored on the Harbor database, as demonstrated in the attached writeup by the leaking of users' password hashes and salts. All endpoints that support the `q` URL parameter are vulnerable to this ORM leak attack, and could potentially be exploitable by lower privileged users to gain unauthorised access to other sensitive information. ### Patches No available ### Workarounds NA ### References ### Credit...

### Summary The regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. ### Details In version 3.0.1, you can find a commit like the one in the link below, which was made to prevent ReDoS. https://github.com/rennf93/fastapi-guard/commit/d9d50e8130b7b434cdc1b001b8cfd03a06729f7f This commit mitigates the vulnerability by limiting the length of the input string, as shown in the example below. `r"<script[^>]*>[^<]*<\\/script\\s*>"` -> `<script[^>]{0,100}>[^<]{0,1000}<\\/script\\s{0,10}>` This type of patch fails to catch cases where the string representing the attributes of a <script> tag exceeds 100 characters. Therefore, most of the regex patterns present in version 3.0.1 can be bypassed. ### PoC 1. clone the fastapi-guard repository 2. Navigate to the examples directory and modify the main.py source code. Change the HTTP method for the root route from GET to POST. <img width="1013" height="554" ...

### Impact In the Harbor repository information, it is possible to inject code resulting in a stored XSS issue. ### Patches Harbor v2.12.3 Harbor 2.11.3 ### Workarounds No ### References ### Credit gleb.razvitie@gmail.com

All versions of the package bun are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes command-line arguments or shell metacharacters, leading to unintended command execution.

All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory.