ghsa

### Impact Due to a lack of validation when filtering on the public API endpoints, it is possible to reveal private fields via a brute force attack. Ghost(Pro) has already been patched. We can find no evidence that the issue was exploited on Ghost(Pro) prior to the patch being added. Self-hosters are impacted if running Ghost a version below v5.46.1. Immediate action should be taken to secure your site - see patches and workarounds below. ### Patches v5.46.1 contains a fix for this issue. ### Workarounds Add a block for requests to `/ghost/api/content/*` where the `filter` query parameter contains `password` or `email`. ### For more information If you have any questions or comments about this advisory: * Email us at [security@ghost.org](mailto:security@ghost.org)

### Impact A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. ``` TypeError: Cannot read properties of undefined (reading 'handlesUpgrades') at Server.onWebSocket (build/server.js:515:67) ``` This impacts all the users of the [`engine.io`](https://www.npmjs.com/package/engine.io) package, including those who uses depending packages like [`socket.io`](https://www.npmjs.com/package/socket.io). ### Patches A fix has been released today (2023/05/02): [6.4.2](https://github.com/socketio/engine.io/releases/tag/6.4.2) This bug was introduced in version 5.1.0 and included in version 4.1.0 of the `socket.io` parent package. Older versions are not impacted. For `socket.io` users: | Version range | `engine.io` version | Needs minor update? | |-----------------------------|---------------------|----------------------...

## Summary Two vulnerabilities have been found in Rekor types for archive files JARs and APKs, where Rekor would crash due to out of memory conditions caused by reading archive metadata files into memory without checking their sizes first causing a Denial of Service of Rekor. These vulnerabilities were found through fuzzing with [OSS-Fuzz](https://google.github.io/oss-fuzz/). ## Vulnerability 1: OOM due to large files in META-INF directory of JAR files. ### Summary Verification of a JAR file submitted to Rekor can cause an out of memory crash if files within the META-INF directory of the JAR are sufficiently large. ### Details As part of verifying a JAR file, Rekor uses the [relic library](http://github.com/sassoftware/relic) to check that the JAR is signed, the signature verifies, and that the hashes in the signed manifest are all valid. This library function reads files within META-INF/ into memory without checking their sizes, resulting in an OOM if the uncompressed file is suffi...

Due to insufficient validation of parameters passed to the legacy HTTP query API, it is possible to inject crafted OS commands into multiple parameters and execute malicious code on the OpenTSDB host system. This exploit exists due to an incomplete fix that was made when this vulnerability was previously disclosed as CVE-2020-35476. Regex validation that was implemented to restrict allowed input to the query API does not work as intended, allowing crafted commands to bypass validation.

Due to insufficient validation of parameters reflected in error messages by the legacy HTTP query API and the logging endpoint, it is possible to inject and execute malicious JavaScript within the browser of a targeted OpenTSDB user. This issue shares the same root cause as CVE-2018-13003, a reflected XSS vulnerability with the suggestion endpoint.

The vulnerability was found Moodle which exists because the application allows a user to control path of the older to create in TinyMCE loaders. A remote user can send a specially crafted HTTP request and create arbitrary folders on the system.

The vulnerability was found Moodle which exists due to insufficient sanitization of user-supplied data in external Wiki method for listing pages. A remote attacker can send a specially crafted request to the affected application and execute limited SQL commands within the application database.

RosarioSIS 10.8.4 is vulnerable to CSV injection via the Periods Module.

### Impact When debug logging is enabled (via `DEBUG` environment variable), the Kubernetes client may log all response bodies into the debug log -- including sensitive data from `Secret` resources. When running in a Kubernetes cluster, this might expose sensitive information to users who are _not_ authorised to access secrets, but have access to Pod logs (either directly using kubectl, or by Pod logs being shipped elsewhere). ### Patches Upgrade to 3.5.0 or newer. ### Workarounds Disable debug logging entirely, or exclude the `kubernetes:client` debug item (for example, using `DEBUG=*,-kubernetes:client`). ### References - https://cwe.mitre.org/data/definitions/532.html

### Impact The impact of this path traversal and arbitrary extension is limited (creation of arbitrary files and appending data to existing files) but when combined with the SQL Injection, the exported data `RESTRICTED DIFFUSION 9 / 9` can be controlled and a webshell can be uploaded. Attackers can use that to execute arbitrary PHP code on the server with the permissions of the webserver. ### Patches Update to version 10.5.18 or apply this patch manually https://github.com/pimcore/pimcore/commit/7f788fa44bc18bc1c9182c25e26b770a1d30b62f.patch ### Workarounds Apply patch https://github.com/pimcore/pimcore/commit/7f788fa44bc18bc1c9182c25e26b770a1d30b62f.patch manually. ### References https://github.com/pimcore/pimcore/pull/14498