ghsa

A vulnerability was discovered in the marshmallow-packages/nova-tiptap Laravel Nova package that allows unauthenticated users to upload arbitrary files to any Laravel disk configured in the application. The vulnerability is due to: • Missing authentication middleware (Nova and Nova.Auth) on the /nova-tiptap/api/file upload endpoint • Lack of validation on uploaded files (no MIME/type or extension restrictions) • Ability for an attacker to choose the disk parameter dynamically This means an attacker can craft a custom form and send a POST request to /nova-tiptap/api/file, supplying a valid CSRF token, and upload executable or malicious files (e.g., .php, binaries) to public disks such as local, public, or s3. If a publicly accessible storage path is used (e.g. S3 with public access, or Laravel’s public disk), the attacker may gain the ability to execute or distribute arbitrary files — amounting to a potential Remote Code Execution (RCE) vector in some environments.

### Summary form-data uses `Math.random()` to select a boundary value for multipart form-encoded data. This can lead to a security issue if an attacker: 1. can observe other values produced by Math.random in the target application, and 2. can control one field of a request made using form-data Because the values of Math.random() are pseudo-random and predictable (see: https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f), an attacker who can observe a few sequential values can determine the state of the PRNG and predict future values, includes those used to generate form-data's boundary value. The allows the attacker to craft a value that contains a boundary value, allowing them to inject additional parameters into the request. This is largely the same vulnerability as was [recently found in `undici`](https://hackerone.com/reports/2913312) by [`parrot409`](https://hackerone.com/parrot409?type=user) -- I'm not affiliated with that researcher but want to giv...

### Impact A potential security issue has been mitigated on old account deployment functions from the factory. Smart wallets in use on all existing supported networks are not impacted. ### Patches Please direct creation of new wallets to either `createSemiModularAccount` on `AccountFactory.sol` or `createWebAuthnAccount` on `WebAuthnFactory.sol`.

### Summary A command injection vulnerability exists in the `@translated/lara-mcp` MCP Server. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). ### Details The MCP Server exposes tools to interact with Lara Translate API. An MCP Client can be instructed to execute additional actions for example via indirect prompt injection in handling (untrusted) sources. Below some example of vulnerable code and different ways to test this vulnerability including an example of indirect prompt injection that can lead to arbitrary command injection. ### Vulnerable code The follo...

### Summary The `version` parameter of the `/docs` endpoint is vulnerable to a Reflected XSS (Cross-Site Scripting) attack. ### PoC 1. Setup a minimal app following the quickstart guide: https://docs.cadwyn.dev/quickstart/setup/ 2. Click on the following PoC link: http://localhost:8000/docs?version=%27%2balert(document.domain)%2b%27 ### Impact Refer to this [security advisory](https://github.com/Visionatrix/Visionatrix/security/advisories/GHSA-w36r-9jvx-q48v) for an example of the impact of a similar vulnerability that shares the same root cause. This XSS would notably allow an attacker to execute JavaScript code on a user's session for any application based on `Cadwyn` via a one-click attack. A CVSS for the average case may be: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L ### Details The vulnerable code snippet can be found in the 2 functions `swagger_dashboard` and `redoc_dashboard`: https://github.com/zmievsa/cadwyn/blob/main/cadwyn/applications.py#L387-L413 The implementation...

File access paths in configuration files uploaded by users with administrator access are not validated. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which does not allow arbitrary configuration upload.

Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0. Users are recommended to upgrade to version 5.5.0, which fixes the issue.

### Summary A **remote script-inclusion / stored XSS** vulnerability in **@nuxtjs/mdc** lets a Markdown author inject a `<base href="https://attacker.tld">` element. The `<base>` tag rewrites how all subsequent relative URLs are resolved, so an attacker can make the page load scripts, styles, or images from an external, attacker-controlled origin and execute arbitrary JavaScript in the site’s context. ### Details - **Affected file** : `src/runtime/parser/utils/props.ts` - **Core logic**  : `validateProp()` inspects * attributes that start with `on` → blocked * `href` or `src` → filtered by `isAnchorLinkAllowed()` Every other attribute and every **tag** (including `<base>`) is allowed unchanged, so the malicious `href` on `<base>` is never validated. ``` export const validateProp = (attribute: string, value: string) => { if (attribute.startsWith('on')) return false if (attribute === 'href' || attribute === 'src') { return isAnchorLinkAllowed(value) } retur...

Thor before 1.4.0 can construct an unsafe shell command from library input.

eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows.