ghsa

### Impact Users with the `backend.manage_branding` permission can upload SVGs as the application logo. Previously, SVG uploads were not sanitized, which could have allowed a stored XSS attack. Although this was a security issue, it's important to note that its severity is low. To exploit the vulnerability, an attacker would already need to have developer or super user level permissions in Winter CMS. This means they would already have extensive access and control within the system. Additionally, to execute the XSS, the attacker would need to convince the victim to directly visit the URL of the maliciously uploaded SVG, and the application would have to be using local storage where uploaded files are served under the same domain as the application itself instead of a CDN. This is because all SVGs in Winter CMS are rendered through an `img` tag, which prevents any payloads from being executed directly. These two factors significantly limit the potential harm of this vulnerability. Th...

### Summary Our `meow` dependency (which we use for our CLI) depended on `semver@5.7.1 `. A vulnerability in this version of `semver` was recently identified and surfaced by `npm audit`: Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw ### Details Original post by the reporter: "my npm audit show the report semver <7.5.2 Severity: moderate semver vulnerable to Regular Expression Denial of Service - https://github.com/advisories/GHSA-c2qf-rxjj-qqgw No fix available And my dependencies tree for semver show your package ├─┬ stylelint@15.9.0 │ └─┬ meow@9.0.0 │ └─┬ read-pkg-up@7.0.1 │ └─┬ read-pkg@5.2.0 │ └─┬ normalize-package-data@2.5.0 │ └── semver@5.7.1 deduped I found that meow@10.x.x contains normalize-package-data@5 and I can fix this vulnerability because it uses semver@7. But I can't update meow to the new major version because your package doesn't allow it." Update your p...

### Summary Pipelines do not validate child UIDs, which means that a user that has access to create TaskRuns can create their own Tasks that the Pipelines controller will accept as the child Task. We should add UID to PipelineRun status and validate that child Run status/results only come from Runs matching the same UID. ### Details While we [store and validate the PipelineRun's (api version, kind, name, uid) in the child Run's OwnerReference](https://github.com/tektoncd/pipeline/blob/2d38f5fa840291395178422d34b36b1bc739e2a2/pkg/reconciler/pipelinerun/pipelinerun.go#L1358-L1372), we only store (api version, kind, name) in the [ChildStatusReference](https://pkg.go.dev/github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1#ChildStatusReference) . This means that if a client had access to create TaskRuns on a cluster, they could create a child TaskRun for a pipeline with the same name + owner reference, and the Pipeline controller picks it up as if it was the original TaskRun. This is...

### Impact In `PeriodicVestingAccount`, defined in `x/auth`, an attacker can initialize a victim's account as a malicious vesting account, which allows deposits but does not allow withdrawals. When the user then deposits funds into their account, those funds are locked forever, and the user is not able to withdraw them. ### Patches \>= v0.46.13 for Cosmos SDK v0.46.x \>= v0.47.3 for Cosmos SDK v0.47.x If a network backported periodic vesting accounts to earlier versions of the SDK, those networks are affected too. ### Workarounds There is no workaround for this issue. Upgrade immediately. ### References * Patched versions release notes: [v0.47.3](https://github.com/cosmos/cosmos-sdk/blob/cfc757dc5043fb2758c47c146d2912fd010c1a45/RELEASE_NOTES.md#cosmos-sdk-v0473-release-notes), [v0.46.13](https://github.com/cosmos/cosmos-sdk/blob/d4b7164de5d8391e6aa644d8ea84e07396dd9653/RELEASE_NOTES.md#cosmos-sdk-v04613-release-notes). * [Forum Post](https://forum.cosmos.network/t/cosmos-sdk-se...

PEAR Archive_Tar version 1.4.3 and earlier contains a CWE-502, CWE-915 vulnerability in the Archive_Tar class. There are several file operations with `$v_header['filename']` as parameter (such as file_exists, is_file, is_dir, etc). When extract is called without a specific prefix path, we can trigger unserialization by crafting a tar file with `phar://[path_to_malicious_phar_file]` as path. Object injection can be used to trigger destruct in the loaded PHP classes, e.g. the Archive_Tar class itself. With Archive_Tar object injection, arbitrary file deletion can occur because `@unlink($this->_temp_tarname)` is called. If another class with useful gadget is loaded, it may possible to cause remote code execution that can result in files being deleted or possibly modified. This vulnerability appears to have been fixed in 1.4.4.

A malicious attacker can craft up some JSON input that uses large numbers (numbers such as 1e20000000) that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion (Denial of service risk). Apache Johnzon 1.2.21 mitigates this by setting a scale limit of 1000 (by default) to the BigDecimal. This issue affects Apache Johnzon through 1.2.20.

### Impact The Sentry API incorrectly returns the `access-control-allow-credentials: true` HTTP header if the `Origin` request header ends with the `system.base-hostname` option of Sentry installation. This only affects installations that have `system.base-hostname` option explicitly set, as it is empty by default. Impact is limited since recent versions of major browsers have cross-site cookie blocking enabled by default. However, this flaw could allow other multi-step attacks. ### Patches The patch has been released in [Sentry 23.6.2](https://github.com/getsentry/self-hosted/releases/tag/23.6.2). ### Workarounds For Sentry SaaS customers, no action is needed. For self-hosted Sentry installations that have `system.base-hostname` explicitly set, it is recommended to upgrade the installation to 23.6.2 or higher. There are no known workarounds. ### References - [getsentry/sentry PR #52276](https://github.com/getsentry/sentry/pull/52276) ### Credits - [@andr0idp4r4n0id](https://twi...

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

There exists an vulnerability causing an abort() to be called in gRPC.  The following headers cause gRPC's C++ implementation to abort() when called via http2: te: x (x != trailers) :scheme: x (x != http, https) grpclb_client_stats: x (x == anything) On top of sending one of those headers, a later header must be sent that gets the total header size past 8KB. We recommend upgrading past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53 and above.

gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for `-bin` suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyond the commit in https://github.com/grpc/grpc/pull/32309.