ghsa

### Impact Wasmtime's code generation backend, Cranelift, has a bug on x86_64 platforms for the WebAssembly `i8x16.select` instruction which will produce the wrong results when the same operand is provided to the instruction and some of the selected indices are greater than 16. There is an off-by-one error in the calculation of the mask to the `pshufb` instruction which causes incorrect results to be returned if lanes are selected from the second vector. The impact of this miscompilation is that the WebAssembly instruction can produce incorrect results for the `i8x16.select` instruction. This should have no effect on embedders and does not represent a sandbox escape, for example. Guest programs, however, may behave unexpectedly due to the incorrect result of this instruction. In extreme cases if a guest program is handling untrusted input then the guest program may deviate from its intended execution, for example calling an imported host function with different arguments than intend...

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/edit.

Funadmin v3.2.0 was discovered to contain a SQL injection vulnerability via the id parameter at /databases/database/list.

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530. Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3 # Impact The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected. All users running an affected release should either upgrade or use one of the workarounds immediately. # Workarounds A proxy can be configured to limit the POST body size which will mitigate this issue.

### Impact Any user with edit rights on a document can trigger a XAR import on a forged XAR file, leading to the ability to display the content of any file on the XWiki server host. Example to reproduce: * Create a forget XAR file and inside it, have the following `package.xml` content: ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <package> <infos> <name>&xxe;</name> <description> &xxe; Helper pages for creating and listing Class/Template/Sheets</description> <licence></licence> <author>XWiki.Admin</author> ... ``` * Upload it onto a wiki page (e.g. `XXE`) as an attachment (e.g. `test.xar`). * Call the page using `http://localhost:8080/xwiki/bin/view/Main/XXE?sheet=XWiki.AdminImportSheet&file=test.xar` You'll then notice that the displayed UI contains the content of the `/etc/passwd` file. ### Patches The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1. ### Workarounds You'd...

### Impact Any user with view rights can execute arbitrary Groovy, Python or Velocity code in XWiki leading to full access to the XWiki installation. The root cause is improper escaping of UIX parameters A proof of concept exploit is to log in, add an `XWiki.UIExtensionClass` xobject to the user profile page, with an Extension Parameters content of: ``` order=100 label={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("Hello " + "from groovy!"){{/groovy}}{{/async}} icon=icon:pencil target=XWiki.username ``` Then, navigating to `PanelsCode.ApplicationsPanelConfigurationSheet` (i.e., `<xwiki-host>/xwiki/bin/view/PanelsCode/ApplicationsPanelConfigurationSheet` where `<xwiki-host>` is the URL of your XWiki installation) should not execute the Groovy script. If it does, you will see `Hello from groovy!` displayed on the screen. ### Patches The vulnerability has been patched in XWiki 13.10.11, 14.4.7 and 14.10-rc-1 ### Workarounds The issue can be ...

### Impact Users with read access to the `password` field in `directus_users` can extract the argon2 password hashes by brute forcing the export functionality combined with a `_starts_with` filter. This allows the user to enumerate the password hashes. ### Patches The problem has been patched by preventing any hashed/concealed field to be filtered against with the `_starts_with` or other string operator. ### Workarounds Ensuring that no user has `read` access to the `password` field in `directus_users` is sufficient to prevent this vulnerability. ### For more information If you have any questions or comments about this advisory: * Open a Discussion in [directus/directus](https://github.com/directus/directus/discussions/new) * Email us at [security@directus.io](mailto:security@directus.io)

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments 1.4.3 and prior. A patch is available and anticipated to be part of version 1.5.0.

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions.

### Impact OWSLib's XML parser (which supports both `lxml` and `xml.etree`) does not disable entity resolution, and could lead to arbitrary file reads from an attacker-controlled XML payload. This affects all XML parsing in the codebase. ### Patches This issue is patched in 0.28.1. ### Workarounds The patch approach should be: - update all XML support as follows: - use ONLY `lxml.etree` - apply the patch below ```python patch_well_known_namespaces(etree) etree.set_default_parser( parser=etree.XMLParser(resolve_entities=False) ) ``` ### References - `GHSL-2022-131`