ghsa

### Summary A vulnerability has been found in Dapr that allows bypassing [API token authentication](https://docs.dapr.io/operations/security/api-token/), which is used by the Dapr sidecar to authenticate calls coming from the application, with a well-crafted HTTP request. Users who leverage API token authentication are encouraged to upgrade Dapr to 1.10.9 and 1.11.2. ### Impact This vulnerability impacts Dapr users who have configured API token authentication. An attacker could craft a request that is always allowed by the Dapr sidecar over HTTP, even if the `dapr-api-token` in the request is invalid or missing. ### Patches The issue has been fixed in Dapr 1.10.9 and 1.11.2. ### Details When API token authentication is enabled, Dapr requires all calls from applications to include the `dapr-api-token` header, with a value matching what's included in the Dapr's configuration. In order to allow for healthchecks to work, the `/v1.0/healthz` and `/v1.0/healthz/outbound` HTTP...

Cross-site Scripting (XSS) - Reflected in GitHub repository pimcore/pimcore prior to 10.6.4.

Cross-site Scripting (XSS) - Stored in GitHub repository pimcore/pimcore prior to 10.6.4.

A vulnerability, which was classified as problematic, has been found in y_project RuoYi up to 4.7.7. Affected by this issue is the function `uploadFilesPath` of the component `File Upload`. The manipulation of the argument `originalFilenames` leads to cross site scripting. The attack may be launched remotely. VDB-235118 is the identifier assigned to this vulnerability.

Incorrect access control in the component `/models/Content` of Cockpit CMS v2.5.2 allows unauthorized attackers to access sensitive data.

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

An arbitrary file upload vulnerability in the component /workplace#!explorer of Alkacon OpenCMS v15.0 allows attackers to execute arbitrary code via uploading a crafted PNG file.

### Impact OpenAM up to version 14.7.2 does not properly validate the signature of SAML responses received as part of the SAMLv1.x Single Sign-On process. Attackers can use this fact to impersonate any OpenAM user, including the administrator, by sending a specially crafted SAML response to the SAMLPOSTProfileServlet servlet. ### Patches This problem has been patched in OpenAM 14.7.3-SNAPSHOT and later ### Workarounds One should comment servlet `SAMLPOSTProfileServlet` in web.xml or disable SAML in OpenAM ```xml <servlet> <description>SAMLPOSTProfileServlet</description> <servlet-name>SAMLPOSTProfileServlet</servlet-name> <servlet-class>com.sun.identity.saml.servlet.SAMLPOSTProfileServlet</servlet-class> </servlet> ... <servlet-mapping> <servlet-name>SAMLSOAPReceiver</servlet-name> <url-pattern>/SAMLSOAPReceiver</url-pattern> </servlet-mapping> ``` ### References #624

### Impact Feathers socket handler did not catch invalid string conversion errors like: ```ts const message = `${{ toString: '' }}` ``` Causing the NodeJS process to crash when sending an unexpected Socket.io message like ```ts socket.emit('find', { toString: '' }) ``` ### Patches A fix has been released in - `v5.0.8` via #3241 - `v4.5.18` via #3242 ### Workarounds Since it is in the core Socket handling code upgrading to the latest version is necessary. ### References - [v5.0.8 Changelog](https://github.com/feathersjs/feathers/blob/dove/CHANGELOG.md#508-2023-07-19) - [v4.5.18 Changelog](https://github.com/feathersjs/feathers/blob/crow/CHANGELOG.md#4518-2023-07-19)

### Impact aiohttp v3.8.4 and earlier are [bundled with llhttp v6.0.6](https://github.com/aio-libs/aiohttp/blob/v3.8.4/.gitmodules) which is vulnerable to CVE-2023-30589. The vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). ### Reproducer ```python from aiohttp import web async def example(request: web.Request): headers = dict(request.headers) body = await request.content.read() return web.Response(text=f"headers: {headers} body: {body}") app = web.Application() app.add_routes([web.post('/', example)]) web.run_app(app) ``` Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. ```console $ ...