ghsa

Heap buffer overflow in WebP in Google Chrome prior to 116.0.5845.187 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: Critical)

Relative Path Traversal in GitHub repository cecilapp/cecil prior to 7.47.1.

Cross-site Scripting (XSS) - Reflected in GitHub repository cecilapp/cecil prior to 7.47.1.

### Summary An remote Code exec vulnerability allows any unauthenticated user to exec code on the server. ### Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can get rce on the server through the mysql userializable If the mysql-connector-java version used on the server side is less than 8.20. In order for the server to enable deserialization we need to set the `autoDeserialize` and `queryInterceptors` parameters in the connection string,As same with https://github.com/OpenRefine/OpenRefine/security/advisories/GHSA-qqh2-wvmv-h72m, since the concatenation string is a direct concatenation, it is possible to inject the required parameters after the other parameters.  And there is a commons-beanutils dependency library on the server side, w...

### Summary An arbitrary file read vulnerability allows any unauthenticated user to read the file on the server._ ### Details Hi,Team, i find openrefine support to import data from database,When use mysql jdbc to connect to database,It is vulnerable to jdbc url attacks,for example,unauthenticated attacker can read the file on the server. There are some differences in utilization depending on the version of the mysql-connector dependency on the server side. 1. mysql-connector-java version > 8.14 The default value of `allowLoadLocalInfile` on the server side is false in this case.We need to manually set this value to true in the connection string. Since the way to get the databaseurl in `com/google/refine/extension/database/mysql/MySQLConnectionManager.java` is to splice the individual configurations directly, we can set the `allowLoadLocalInfile` parameter after the other parameters(for example the `databaseName` parameter ). ![image](https://user-images.githubusercontent.com/24...

### Summary _Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server._ The current implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be able to successfully generate a list of valid users on the platform. As Piccolo on it's own does not also enforce strong passwords (see [here](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#implement-proper-password-strength-controls)), these lists of valid accounts are likely to be used in a password spray attack with the outcome being attempted takeover of user accounts on the platform. The impact of this vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it requir...

A flaw was found where some utility classes in Drools core did not use proper safeguards when deserializing data. This flaw allows an authenticated attacker to construct malicious serialized objects (usually called gadgets) and achieve code execution on the server.

# Impact Guest orders may be viewed without authentication using a "guest-view" cookie which contains the order's "protect_code". This code is 6 hexadecimal characters which is arguably not enough to prevent a brute-force attack. Exposing each order would require a separate brute force attack. # Patches None. # Workarounds Implementing rate-limiting at the web server would help mitigate the issue. In particular, a very strict rate limit (e.g. 1 per minute per IP) for the specific route (`sales/guest/view/`) would effectively mitigate the issue. # References Email from Frank Rochlitzer (f.rochlitzer@b3-it.de) to security@openmage.org: ## Summary The German Federal Office for Information Security (BSI) found the following flaw in OpenMage through a commissioned pen test: The web application was found to accept certain requests even without prior strong authentication if the person making the request has data that is non-public but also not secret, such as easily easily guessed t...

Affected versions do not enforce a `Sync` bound on the type of caller-provided value held in the plugin registry. References to these values are made accessible to arbitrary threads other than the one that constructed them. A caller could use this flaw to submit thread-unsafe data into inventory, then access it as a reference simultaneously from multiple threads. The flaw was corrected by enforcing that data submitted by the caller into inventory is `Sync`.

Affected versions dereference a potentially unaligned pointer. The pointer is commonly unaligned in practice, resulting in undefined behavior. In some build modes, this is observable as a panic followed by abort. In other build modes the UB may manifest in some other way, including the possibility of working correctly in some architectures. The crate is not currently maintained, so a patched version is not available. ## Recommended alternatives - [`sysinfo`](https://crates.io/crates/sysinfo)