ghsa

### Impact This vulnerability allows a malicious actor with access to add or modify content in an instance of the Backstage software catalog to inject script URLs in the entities stored in the catalog. If users of the catalog then click on said URLs, that can lead to an XSS attack. ### Patches This vulnerability has been patched in both the frontend and backend implementations. The default `Link` component from `@backstage/core-components` will now reject `javascript:` URLs, and there is a global override of `window.open` to do the same. In addition the catalog model as well as the catalog backend now has additional validation built in that prevents `javascript:` URLs in known annotations. ### Workarounds The general practice of limiting access to modifying catalog content and requiring code reviews greatly helps mitigate this vulnerability. ### For more information If you have any questions or comments about this advisory: * Open an issue in the [Backstage repository](https:/...

### Impact The `MultipartParser` using the package `python-multipart` accepts an unlimited number of multipart parts (form fields or files). Processing too many parts results in high CPU usage and high memory usage, eventually leading to an <abbr title="out of memory">OOM</abbr> process kill. This can be triggered by sending too many small form fields with no content, or too many empty files. For this to take effect application code has to: * Have `python-multipart` installed and * call `request.form()` * or via another framework like FastAPI, using form field parameters or `UploadFile` parameters, which in turn calls `request.form()`. ### Patches The vulnerability is solved in Starlette 0.25.0 by making the maximum fields and files customizable and with a sensible default (1000). Applications will be secure by just upgrading their Starlette version to 0.25.0 (or FastAPI to 0.92.0). If application code needs to customize the new max field and file number, there are new `req...

Apache Sling JCR Base < 3.1.12 has a critical injection vulnerability when running on old JDK versions (JDK 1.8.191 or earlier) through utility functions in RepositoryAccessor. The functions getRepository and getRepositoryFromURL allow an application to access data stored in a remote location via JDNI and RMI. Users of Apache Sling JCR Base are recommended to upgrade to Apache Sling JCR Base 3.1.12 or later, or to run on a more recent JDK.

An XML External Entity (XXE) vulnerability in ureport v2.2.9 allows attackers to execute arbitrary code via uploading a crafted XML file to /ureport/designer/saveReportFile.

### Impact All React applications built with react-admin and using the `<RichTextField>` are affected. `<RichTextField>` outputs the field value using `dangerouslySetInnerHTML` without client-side sanitization. If the data isn't sanitized server-side, this opens a possible Cross-Site-Scripting (XSS) attack. Proof of concept: ```jsx import { RichTextField } from 'react-admin'; const record = { id: 1, body: ` <p> <strong>War and Peace</strong> is a novel by the Russian author <a href="https://en.wikipedia.org/wiki/Leo_Tolstoy" onclick="document.getElementById('stolendata').value='credentials';">Leo Tolstoy</a>, published serially, then in its entirety in 1869. </p> <p onmouseover="document.getElementById('stolendata').value='credentials';"> It is regarded as one of Tolstoy's finest literary achievements and remains a classic of world literature. </p> <img src="x" onerror="document.getElementById('stolendata').value='credentials';" /> `, }; const VulnerableRichTextField = ...

sgx-dcap-quote-verify-python includes a statically linked copy of OpenSSL. The version of OpenSSL included in sgx-dcap-quote-verify-python 0.0.1..0.0.2 is vulnerable to a security issue. More details about the OpenSSL vulnerabilities themselves can be found at https://www.openssl.org/news/secadv/20230207.txt. ## Analysis The binding includes OpenSSL version 1.1.1s which is vulnerable to the vulnerabilities disclosed in [OpenSSL Security Advisory from the 7th February 2023](https://www.openssl.org/news/secadv/20230207.txt). The binding does not directly use OpenSSL. The binding calls the SGX Quote Verification Library which uses OpenSSL. ## Explanation The SGX Quote Verification Library uses OpenSSL as a dependency to perform its cryptographic operations and certificate verification. The OpenSSL security advisory mentions multiple vulnerabilities but I believe the most concerning would be CVE-2023-0286 “X.400 address type confusion in X.509 GeneralName”. Its severity is rated high an...

ureport v2.2.9 was discovered to contain an arbitrary file deletion vulnerability.

CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the Full Featured CKEditor5 widget.

An improper SameSite Attribute vulnerability in pimCore v10.5.15 allows attackers to execute arbitrary code.

Versions of the package glance before 3.0.9 are vulnerable to Directory Traversal that allows users to read files outside the public root directory. This is related to but distinct from the vulnerability reported in [CVE-2018-3715](https://security.snyk.io/vuln/npm:glance:20180129).