Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-8rv7-g772-pp3j: DataEase vulnerable to SQL injection

SQL injection vulnerability in DataEase v.1.18.9 allows a remote attacker to obtain sensitive information via a crafted string outside of the blacklist function.

ghsa
Open in Source
#sql#vulnerability#git
GHSA-94w5-rf69-2h6c: hson-java vulnerable to denial of service

An issue in hjson-java up to v3.0.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted JSON string to string a `StringIndexOutOfBoundsException`.

GHSA-j2gj-g3p9-7mrr: Account TakeOver Due to Improper Handling of JWT Tokens in usememos/memos

Improper Access Control in GitHub repository usememos/memos prior to 0.13.2. As of commit `c9aa2eeb9` access tokens which fail validation are rejected.

GHSA-96gq-6ch5-mm54: usememos/memos vulnerable to improper input validation

Improper Input Validation in GitHub repository usememos/memos prior to 0.13.2.

GHSA-5j6p-59cj-j6cp: usememos/memos vulnerable to privilege escalation

Improper Privilege Management in GitHub repository usememos/memos prior to 0.13.2.

GHSA-wc9j-gc65-3cm7: DDFFileParser is vulnerable to XXE Attacks

### Impact `DDFFileParser` and `DefaultDDFFileValidator` (and so `ObjectLoader`) are vulnerable to [XXE Attacks](https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing). [DDF file](https://github.com/eclipse-leshan/leshan/wiki/Adding-new-objects#the-lwm2m-model) is a LWM2M format used to store LWM2M object description. Leshan users are impacted only if they parse untrusted DDF files (e.g. if they let external users provide their own model), in that case they MUST upgrade to fixed version. If you parse only trusted DDF file and validate only with trusted xml schema, upgrading is not mandatory. ### Patches This is fixed in **v1.5.0** and **2.0.0-M13**. ### Workarounds No easy way. Eventually writing your own `DDFFileParser`/`DefaultDDFFileValidator` (and so `ObjectLoader`) creating a `DocumentBuilderFactory` with : ```java // For DDFFileParser DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature(XMLConstants.FEATU...

GHSA-9v85-q87q-g4vg: Path traversal in Archive

An issue in Archive v3.3.7 allows attackers to execute a path traversal via extracting a crafted zip file.

GHSA-g454-wj9r-jpg4: Path traversal in Zip Swift

An issue in Zip Swift v2.1.2 allows attackers to execute a path traversal attack via a crafted zip entry.

GHSA-r285-q736-9v95: Filename spoofing in archive

An issue in Archive v3.3.7 allows attackers to spoof zip filenames which can lead to inconsistent filename parsing.

GHSA-c2cc-3569-6jh2: Path traversal in ZIPFoundation

An issue in ZIPFoundation v0.9.16 allows attackers to execute a path traversal via extracting a crafted zip file.