Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-wr8m-5h2p-4432: Liferay Portal API Allows Authenticated Users to Access Workflow Definitions by Name

Insecure Direct Object Reference (IDOR) vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.7, 2024.Q1.1 through 2024.Q1.12, and 7.4 GA through update 92 allows remote authenticated users to access a workflow definition by name via the API.

ghsa
#vulnerability#web#auth
GHSA-765j-9r45-w2q2: Flask App Builder has an Authentication Bypass vulnerability when using non AUTH_DB methods

### Impact When Flask-AppBuilder is configured to use OAuth, LDAP, or other non-database authentication methods, the password reset endpoint remains registered and accessible, despite not being displayed in the user interface. This allows an enabled user to reset their password and be able to create JWT tokens even after the user is disabled on the authentication provider. ### Patches Upgrade to Flask-AppBuilder version 4.8.1 or later ### Workarounds If immediate upgrade is not possible: - Manually disable password reset routes in the application configuration - Implement additional access controls at the web server or proxy level to block access to the reset my password URL. - Monitor for suspicious password reset attempts from disabled accounts

GHSA-m662-56rj-8fmm: Prebid-universal-creative latest on npm briefly compromised

### Impact Npm users of PUC 1.17.3 or PUC latest were briefly affected by crypto-related malware detailed in the blog post below. This includes the extremely popular jsdelivr hosting of this file. ### Patches We unpublished the version on npm. ### Workarounds This has already been unpublished. See Prebid.js 9 release notes for suggestions on moving off the deprecated workflow of using the PUC or pointing to a dynamic version of it. PUC users pointing to latest should transition to 1.17.2 ASAP to avoid similar attacks in the future. ### References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

GHSA-jwq7-6j4r-2f92: Prebid.js NPM package briefly compromised

### Impact NPM users of prebid 10.9.2. The malicious code attempts to redirect crypto transactions on the site to the attackers' wallet. ### Patches 10.10.0 is solved ### References https://www.sonatype.com/blog/npm-chalk-and-debug-packages-hit-in-software-supply-chain-attack

GHSA-33vc-wfww-vjfv: jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

GHSA-68x2-mx4q-78m7: Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage

### Impact Angular uses a DI container (the "platform injector") to hold request-specific state during server-side rendering. For historical reasons, the container was stored as a JavaScript module-scoped global variable. When multiple requests are processed concurrently, they could inadvertently share or overwrite the global injector state. In practical terms, this can lead to one request responding with data meant for a completely different request, leaking data or tokens included on the rendered page or in response headers. As long as an attacker had network access to send any traffic that received a rendered response, they may have been able to send a large number of requests and then inspect the responses for information leaks. The following APIs were vulnerable and required SSR-only breaking changes: * `bootstrapApplication`: This function previously implicitly retrieved the last platform injector that was created. It now requires an explicit `BootstrapContext` in a server en...

GHSA-4wcm-7hjf-6xw5: interactive-git-checkout has a Command Injection vulnerability

The npm package `interactive-git-checkout` is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via `npm install -g interactive-git-checkout`. Resources: * Project's npm package: https://www.npmjs.com/package/interactive-git-checkout ## Command Injection Vulnerability The `interactive-git-checkout` tool is vulnerable to a command injection vulnerability because it passes the branch name to the `git checkout` command using the Node.js child process module's `exec()` function without proper input validation or sanitization. The following vulnerable code snippets demonstrates the issue: ```js const { exec: execCb } = require('child_process'); const { promisify } = require('util'); const exec = promisify(execCb); module.exports = async (targetBranch) => { const { stdout, stderr } = await exec(`git checkout ${targetBranch}`); process.st...

GHSA-jhgr-j9cj-8j62: Liferay Portal is vulnerable to Reflected XSS attack through get_editor path

Reflected cross-site scripting (XSS) vulnerability in Liferay Portal 7.4.3.73 through 7.4.3.128, and Liferay DXP 2024.Q3.0 through 2024.Q3.1, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 update 73 through update 92 allows remote attackers to inject arbitrary web script or HTML via the /c/portal/comment/discussion/get_editor path.

GHSA-fvp7-jj9m-3qpf: Liferay Portal's Incorrect Authorization vulnerability can lead to guest users to obtaining sensitive data

Improper Access Control vulnerability in Liferay Portal 7.4.0 through 7.4.3.124, and Liferay DXP 2024.Q2.0 through 2024.Q2.8, 2024.Q1.1 through 2024.Q1.12 and 7.4 GA through update 92 allows guest users to obtain object entry information via the API Builder.

GHSA-v2p7-4pv4-3wwh: Infrahub: Deleted and expired API tokens can still authenticate

### Impact A bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. ### Patches This issue is fixed in versions `1.3.9` and `1.4.5` ### Workarounds Users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.