ghsa

### Impact Cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. ### Patches System administrators are encouraged to upgrade to Synapse 1.95.1 as soon as possible. ### Workarounds The `federation_domain_whitelist` can be used to limit federation traffic with a homeserver.

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 11.1.0.

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.1.

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by brute forcing one character at a time and observing the timing. This of course drastically reduces the search space to a linear amount of guesses based on the token length times the possible characters.

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.

Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.2.2.

Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.

Cross-site Scripting (XSS) - Reflected in GitHub repository thorsten/phpmyfaq prior to 3.2.2.

Cross-site Scripting (XSS) - Stored in GitHub repository microweber/microweber prior to 2.0.

An issue in OpenCRX v.5.2.2 allows a remote attacker to execute arbitrary code via a crafted request.