ghsa

### Summary Zitadel's User Service discloses the total number of instance users to unauthorized users. ### Impact The ZITADEL User Service exposes the total number of users within an instance to any authenticated user, regardless of their specific permissions. While this does not leak individual user data or PII, disclosing the total user count via the `totalResult` field constitutes an information disclosure vulnerability that may be sensitive in certain contexts. ### Affected Versions Systems running one of the following version are affected: - **4.x**: `4.0.0-rc.1` through `4.7.1` - **3.x**: `3.0.0-rc.1` through `3.4.4` - **2.x**: `2.44.0` through `2.71.19` ### Patches The vulnerability has been addressed in the latest release. The patch resolves the issue and returns the `totalResult` value corresponding to the number of instance users for whom the querying user has read permission. - 4.x: Upgrade to >=[4.7.2](https://github.com/zitadel/zitadel/releases/tag/v4.7.2) - 3.x: ...

### Summary `redirect_url` is treated as safe when `url.Parse(...).IsAbs()` is false. Protocol-relative URLs like `//ikotaslabs.com` have an empty scheme and pass that check, allowing post-login redirects to attacker-controlled sites. ### Details - `url.Parse("//ikotaslabs.com")` => empty Scheme, Host="ikotaslabs.com". - `IsAbs()` returns false for `//ikotaslabs.com`, so the code treats it as allowed. - Browser resolves `//ikotaslabs.com` to current-origin scheme (e.g. `https://ikotaslabs.com`), enabling phishing flows after login. ### PoC 1. Send or visit: `http://localhost/login?redirect_url=//ikotaslabs.com` 2. Complete normal login flow. 3. After login the app redirects to `https://ikotaslabs.com` (or `http://` depending on origin). ### Acknowledgements This vulnerability was discovered using the automated vulnerability analysis tools **VulScribe** and **PwnML**. The research and tool development were conducted with support from the **MITOU Advanced Program (未踏アドバンスト事業)*...

### Summary The TIM (PSX TIM) image parser in ImageMagick contains a critical integer overflow vulnerability in the `ReadTIMImage` function (`coders/tim.c`). The code reads `width` and `height` (16-bit values) from the file header and calculates `image_size = 2 * width * height` without checking for overflow. On 32-bit systems (or where `size_t` is 32-bit), this calculation can overflow if `width` and `height` are large (e.g., 65535), wrapping around to a small value. This results in a small heap allocation via `AcquireQuantumMemory` and later operations relying on the dimensions can trigger an out of bounds read. ### Vulnerable Code File: `coders/tim.c` ```c width=ReadBlobLSBShort(image); height=ReadBlobLSBShort(image); image_size=2*width*height; // Line 234 - NO OVERFLOW CHECK! ``` ### Impact This vulnerability can lead to Arbitrary Memory Disclosure due to an out of bounds read on 32-bit systems.

### Impact Any user who can edit their own user profile or any other document can execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The reason is that rendering output is included as content of HTML macros with insufficient escaping, and it is thus possible to close the HTML macro and inject script macros that are executed with programming rights. To demonstrate, the content `{{html}}{{/html {{/html}}}}` can be inserted into any field of the user profile that supports wiki syntax like the "About" field. If this leads to the display of raw HTML, the instance is vulnerable. ### Patches This problem has been patched by extending the escaping introduced by [XRENDERING-693](https://jira.xwiki.org/browse/XRENDERING-693) to also cover closing HTML macros that have spaces after the macro name in XWiki 16.10.10, 17.4.3 and 17.6.0RC1. A [similar fix](https://github.com/xwiki/xwik...

### Impact XWiki's REST API doesn't enforce any limits for the number of items that can be requested in a single request at the moment. Depending on the number of pages in the wiki and the memory configuration, this can lead to slowness and unavailability of the wiki. As an example, the `/rest/wikis/xwiki/spaces` resource returns all spaces on the wiki by default, which are basically all pages. ### Patches XWiki 17.7.0RC1, 17.4.4 and 16.10.11 introduce a configurable limit, limiting responses to 1000 items by default. Requesting larger limits leads to an error now. ### Workarounds We're not aware of any workaround, except denying access to the affected REST resources in a proxy in front of XWiki.

### Impact A reflected XSS vulnerability in XWiki allows an attacker to send a victim to a URL with a deletion confirmation message on which the attacker-supplied script is executed when the victim clicks the "No" button. When the victim has admin or programming right, this allows the attacker to execute basically arbitrary actions on the XWiki installation including remote code execution. ### Patches This vulnerability has been patched in XWiki 16.10.10, 17.4.2 and 17.5.0 by using the affected URL parameter only in the intended context. ### Workarounds The [patch](https://github.com/xwiki/xwiki-platform/commit/cb578b1b2910d06e9dd7581077072d1cfbd280f2) can be manually applied to the templates that are present in the WAR. A restart of XWiki is needed for the changes to be applied.

Improper Symbolic link handling in the PutContents API in Gogs allows Local Execution of Code.

Denial of Service vulnerability in Apache Struts, file leak in multipart request processing causes disk exhaustion. This issue affects Apache Struts: from 2.0.0 through 6.7.4, from 7.0.0 through 7.0.3. Users are recommended to upgrade to version 6.8.0 or 7.1.1, which fixes the issue.

A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources.