ghsa

### Context Merge conflict resolution issue when porting the v5.0.1 `Multicall` update to the v4.9 branch caused a duplicated line. ### Impact Versions using `Multicall` from `@openzeppelin/contracts@4.9.4` and `@openzeppelin/contracts-upgradeable@4.9.4` will execute each subcall twice. Concretely, this exposes a user to unintentionally duplicate operations like asset transfers. ### Patches The duplicated `delegatecall` was removed in 4.9.5. The 4.9.4 version is marked as deprecated.

### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled `name` value, which is used in a temporary file name, which is afterwards opened for writing on lines 122-125, which leads to path injection. This issue may lead to arbitrary file write. This vulnerability allows for writing files anywhere on the server that the filesystem permissions that the running server has access to. ### Patches Use mindsdb staging branch or v23.11.4.1 ### References * GHSL-2023-184 * See [CodeQL path injection prevention guidelines](https://codeql.github.com/codeql-query-help/python/py-path-injection/) and [OWASP guidelines](https://owasp.org/www-community/attacks/Path_Traversal).

### Impact The put method in `mindsdb/mindsdb/api/http/namespaces/file.py` does not validate the user-controlled URL in the source variable and uses it to create arbitrary requests on line 115, which allows Server-side request forgery (SSRF). This issue may lead to Information Disclosure. The SSRF allows for forging arbitrary network requests from the MindsDB server. It can be used to scan nodes in internal networks for open ports that may not be accessible externally, as well as scan for existing files on the internal network. It allows for retrieving files with csv, xls, xlsx, json or parquet extensions, which will be viewable via MindsDB GUI. For any other existing files, it is a blind SSRF. ### Patches Use mindsdb staging branch or v23.11.4.1 ### References * GHSL-2023-182 [SSRF prevention cheatsheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html).

When using the default implementation of Verify to check a Captcha, verification can be bypassed. For example, if the first parameter is a non-existent id, the second parameter is an empty string, and the third parameter is true, the function will always consider the Captcha to be correct.

We have identified that this project contains an out-of-date version of the Public Suffix List (https://publicsuffix.org/). We are carrying out research to identify the potential impacts of using old versions of the Public Suffix List, and we intend to publish our results in academic conferences and journals. Our results will become publicly available after 21 days; this provides time to update your project with an up-to-date version of the Public Suffix List. GitHub repository: gsemac/Gsemac.Common Public Suffix List path: src/Gsemac.Net/Resources/public_suffix_list.dat The Public Suffix List is regularly updated (generally a few times per week), and to ensure that the correct privacy boundaries are maintained between websites, applications that use it should routinely fetch an updated copy. If new suffixes are added to the list, and an old list is then used, privacy boundaries will not be constructed correctly, allowing for data (e.g., cookies) to be set incorrectly, potentially ha...

Currently, the middleware operates in a way that if an allowed origin is not provided, it will return an `Access-Control-Allow-Origin` header with the value of the origin from the request. This behavior completely disables one of the most crucial elements of browsers - the Same Origin Policy (SOP), this could cause a very serious security threat to the users of this middleware. If such behavior is expected, for instance, when middleware is used exclusively for prototypes and not for production applications, it should be heavily emphasized in the documentation along with an indication of the risks associated with such behavior, as many users may not be aware of it.

### Summary `nuxt-api-party` allows developers to proxy requests to an API without exposing credentials to the client. [`ofetch`](https://github.com/unjs/ofetch) is used to send the requests. The library allows the user to send many options directly to `ofetch`. There is no filter on which options are available. We can abuse the retry logic to cause the server to crash from a stack overflow. ### Details `fetchOptions` [are obtained directly from the request body](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L27). These are then [passed directly into `ofetch` ](https://github.com/johannschopplich/nuxt-api-party/blob/777462e1e3af1d9f8938aa33f230cd8cb6e0cc9a/src/runtime/server/handler.ts#L57C15-L57C15). We can construct a URL we know will not fetch successfully, then set the retry attempts to a high value, this will cause a stack overflow as ofetch error handling works recursively. ### PoC POC using No...

The caddy-geo-ip (aka GeoIP) middleware through 0.6.0 for Caddy 2, when trust_header X-Forwarded-For is used, allows attackers to spoof their source IP address via an X-Forwarded-For header, which may bypass a protection mechanism (trusted_proxy directive in reverse_proxy or IP address range restrictions).

Special:Ask in Semantic MediaWiki before 4.0.2 allows Reflected XSS.

A flaw was found in Quarkus. This issue occurs when receiving a request over websocket with no role-based permission specified on the GraphQL operation, Quarkus processes the request without authentication despite the endpoint being secured. This can allow an attacker to access information and functionality outside of normal granted API permissions.