Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-h8wh-f7gw-fwpr: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly check permissions when retrieving a post allowing for a System Role with the permission to manage channels to read the posts of a DM conversation.

ghsa
Open in Source
#vulnerability#git#perl#auth
GHSA-rp65-jpc7-8h8p: Mattermost Incorrect Authorization vulnerability

Mattermost fails to properly verify the permissions when managing/updating a bot allowing a User Manager role with user edit permissions to manage/update bots.

GHSA-9jvx-p6mq-fw4v: pretix allows Pillow to parse EPS files

pretix before 2023.7.2 allows Pillow to parse EPS files.

GHSA-86c6-3g63-5w64: Hashicorp Vault Incorrect Permission Assignment for Critical Resource vulnerability

The Vault and Vault Enterprise ("Vault") Google Cloud secrets engine did not preserve existing Google Cloud IAM Conditions upon creating or updating rolesets. Fixed in Vault 1.13.0.

GHSA-m95q-7qp3-xv42: Zod denial of service vulnerability

Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails.

GHSA-2hm9-h873-pgqh: OpenFGA Vulnerable to DoS from circular relationship definitions

## Overview OpenFGA is vulnerable to a DoS attack when certain Check calls are executed against authorization models that contain circular relationship definitions. When the call is made, it's possible for the server to exhaust resources and die. ## Am I Affected? Yes, if your store contains an authorization model that allows circular relationships. For example, with this model: ``` model schema 1.1 type user type group relations define memberA: [user] or memberB or memberC or memberD or memberE define memberB: [user] or memberA or memberC or memberD or memberE define memberC: [user] or memberA or memberB or memberD or memberE define memberD: [user] or memberA or memberB or memberC or memberE define memberE: [user] or memberA or memberB or memberC or memberD ``` This Check: `(user:anne, memberA, group:X)` can exhaust memory in the server. ## Fix Upgrade to v1.3.2 and update any offending models. **[BREAKING]** If your model contained cycles or a relatio...

GHSA-6jmf-2pfc-q9m7: PrestaShop allows users to uninstall modules from backoffice, even with low rights

### Impact Any module can be disabled or uninstalled from back office, even with low user right. ### Patches 8.1.2 ### Workarounds none ### References

GHSA-gvrg-62jp-rf7j: PrestaShop allows employee without any access rights to list all installed modules

### Impact In BO, an employee can list all modules without any access rights: method `ajaxProcessGetPossibleHookingListForModule` doesn't check access rights ### Patches Fixed on 8.1.2 ### Workarounds ### References

GHSA-2g8p-j2r6-vqpj: October Cross-site Scripting vulnerability

A Cross-Site Scripting (XSS) vulnerability in installation of October v.3.4.16 allows an attacker to execute arbitrary web scripts via a crafted payload injected into the dbhost field.

GHSA-7vff-rv2f-cj79: Subrion CMS Cross-site Scripting vulnerability

A Cross-site scripting (XSS) vulnerability in Reference ID from the panel Transactions, of Subrion v4.2.1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into 'Reference ID' parameter.