Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-364c-vvqx-446c: Croc sender may place ANSI or CSI escape sequences in filename to attach receiver's terminal device

An issue was discovered in Croc through 9.6.5. A sender may place ANSI or CSI escape sequences in a filename to attack the terminal device of a receiver.

ghsa
Open in Source
#git
GHSA-hp56-xvf4-g6wr: Cros secrets may be disclosed to untrusted relay

An issue was discovered in Croc through 9.6.5. When a custom shared secret is used, the sender and receiver may divulge parts of this secret to an untrusted Relay, as part of composing a room name.

GHSA-ppjh-xp5v-46wc: Croc sender may send dangerous new files to receiver

An issue was discovered in Croc through 9.6.5. A sender may send dangerous new files to a receiver, such as executable content or a `.ssh/authorized_keys` file.

GHSA-7mp6-929p-pqhj: Croc requires senders to provide local IP addresses in cleartext

An issue was discovered in Croc through 9.6.5. The protocol requires a sender to provide its local IP addresses in cleartext via an `ips?` message.

GHSA-7g3v-4ggr-xvjf: Croc may expose secret to local users

An issue was discovered in Croc through 9.6.5. The shared secret, located on a command line, can be read by local users who list all processes and their arguments.

GHSA-9pv7-vfvm-6vr7: graphql Uncontrolled Resource Consumption vulnerability

Versions of the package graphql from 16.3.0 and before 16.8.1 are vulnerable to Denial of Service (DoS) due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This vulnerability allows an attacker to degrade system performance. **Note:** It was not proven that this vulnerability can crash the process.

GHSA-g8h7-mcp6-pf47: File Upload vulnerability in Dolibarr ERP CRM

File Upload vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to execute arbitrary code and obtain sensitive information via the extension filtering and renaming functions.

GHSA-62wf-h26v-5m57: Cross Site Scripting vulnerability in Dolibarr ERP CRM

Cross Site Scripting vulnerability in Dolibarr ERP CRM v.17.0.1 and before allows a remote attacker to obtain sensitive information and execute arbitrary code via the REST API module, related to analyseVarsForSqlAndScriptsInjection and testSqlAndScriptInject.

GHSA-6773-rfjv-c54w: Dolibarr allows a remote privileged attacker to execute arbitrary code via a crafted command/script

An issue in Dolibarr ERP CRM v.17.0.1 and before allows a remote privileged attacker to execute arbitrary code via a crafted command/script.

GHSA-v92f-jx6p-73rx: Improper Control of Generation of Code ('Code Injection') in jai-ext

### Impact Programs using jt-jiffle, and allowing Jiffle script to be provided via network request, are susceptible to a Remote Code Execution as the Jiffle script is compiled into Java code via Janino, and executed. In particular, this affects the downstream GeoServer project. ### Patches Version 1.2.22 will contain a patch that disables the ability to inject malicious code into the resulting script. ### Workarounds Negate the ability to compile Jiffle scripts from the final application, by removing janino-x.y.z.jar from the classpath. ### References None.