Security
Headlines
HeadlinesLatestCVEs

Source

ghsa

GHSA-4vjr-hfpp-2m7w: expand-object Vulnerable to Prototype Pollution via the expand() Function

Versions of the package expand-object from 0.0.0 to 0.4.2 are vulnerable to Prototype Pollution in the expand() function in index.js. This function expands the given string into an object and allows a nested property to be set without checking the provided keys for sensitive properties like __proto__.

ghsa
#vulnerability#web#js#auth
GHSA-qw64-6vcc-8ghx: Browsershot Server-Side Request Forgery (SSRF) via setURL() Function

Versions of the package spatie/browsershot from 0.0.0 to 5.0.3 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.

GHSA-fq5x-7292-2p5r: React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button

All versions of the package react-draft-wysiwyg are vulnerable to Cross-site Scripting (XSS) via the Embedded button which will then result in saving the payload in the <iframe> tag.

GHSA-3gc7-fjrx-p6mg: bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function

Versions of the package bigint-buffer from 0.0.0 to 1.1.5 are vulnerable to Buffer Overflow in the toBigIntLE() function. Attackers can exploit this to crash the application.

GHSA-7vc5-mjwp-c8fq: LMDeploy Improper Input Validation Vulnerability

A vulnerability was found in InternLM LMDeploy up to 0.7.1. It has been classified as critical. Affected is the function load_weight_ckpt of the file lmdeploy/lmdeploy/vl/model/utils.py of the component PT File Handler. The manipulation leads to deserialization. Attacking locally is a requirement. The exploit has been disclosed to the public and may be used.

GHSA-g73c-fw68-pwx3: pgAdmin 4 Vulnerable to Remote Code Execution

Remote Code Execution security vulnerability in pgAdmin 4 (Query Tool and Cloud Deployment modules). The vulnerability is associated with the 2 POST endpoints; /sqleditor/query_tool/download, where the query_commited parameter and /cloud/deploy endpoint, where the high_availability parameter is unsafely passed to the Python eval() function, allowing arbitrary code execution. This issue affects pgAdmin 4: before 9.2.

GHSA-2rrx-pphc-qfv9: pgAdmin 4 Vulnerable to Cross-Site Scripting (XSS) via Query Result Rendering

pgAdmin <= 9.1 is affected by a security vulnerability with Cross-Site Scripting(XSS). If attackers execute any arbitrary HTML/JavaScript in a user's browser through query result rendering, then HTML/JavaScript runs on the browser.

GHSA-rfw5-cqjj-7v9r: API Platform Core can leak exceptions message that may contain sensitive information

### Summary Exception messages, that are not HTTP exceptions, are visible in the JSON error response. ### Details While we wanted to make our errors compatible with the [JSON Problem](https://datatracker.ietf.org/doc/html/rfc7807) specification, we ended up handling more exceptions then we did previously (introduced at https://github.com/api-platform/core/pull/5823). Instead of leaving that to Symfony, we ended up serializing errors with our normalizers which lead to not hiding the exception details. Note that the trace is hidden in production but the message is not, and the message can contain sensitive information. ### PoC At https://github.com/ili101/api-platform/tree/test3.2 it triggers an authentication exception as LDAP is not reachable. You can find the message available as a JSON response when trying to reach an endpoint. ### Impact Version 3.2 until 3.2.4 is impacted.

GHSA-cmm4-p9v2-q453: Concrete CMS Vulnerable to Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS)

Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified.  Attackers are limited to individuals whom a site administrator has granted the ability to fill in an address attribute. It is possible for the attacker to glean limited information from the site but amount and type is restricted by mitigating controls and the level of access of the attacker. Limited data modification is possible. The dashboard page itself could be rendered unavailable. The fix only sanitizes new data uploaded post update to Concrete CMS 9.4.0RC2. Existing database entries added before the update will still be “live” if there were successful exploits added under previous versions; a database search is recommended. The Concrete CMS security team gave this vulnerability CVSS v.4.0 score of 5.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L...

GHSA-hphm-3x7f-g875: Drupal Obfuscate Vulnerable to Stored Cross-Site Scripting (XSS)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Obfuscate allows Stored XSS. This issue affects Obfuscate: from 0.0.0 before 2.0.1.