Source
ghsa
### Impact Ironic and ironic-inspector deployed within Baremetal Operator using the included `deploy.sh` store their `.htpasswd` files as ConfigMaps instead of Secrets. This causes the plain-text username and hashed password to be readable by anyone having a cluster-wide read-access to the management cluster, or access to the management cluster's Etcd storage. ### Patches This issue is patched in [baremetal-operator PR#1241](https://github.com/metal3-io/baremetal-operator/pull/1241), and is included in BMO release 0.3.0 onwards. ### Workarounds User may modify the kustomizations and redeploy the BMO, or recreate the required ConfigMaps as Secrets per instructions in [baremetal-operator PR#1241](https://github.com/metal3-io/baremetal-operator/pull/1241)
### Details If a user has access to documents that contain hidden fields or fields they do not have access to, the user could reverse-engineer those values via brute force. Affected versions: < 1.7.0 ### Workarounds If you are unable to update, you can write a `beforeOperation` hook to remove `where` queries that attempt to access hidden field data. ### Detecting Compromise Monitor your instance for brute-force style requests against your instance using `where` queries.
### Impact Downstream services relying on the presence of headers set by the `header` mutator could be exploited. A client can drop the header set by the `header` mutator by including that header's name in the `Connection` header. Example minimal config: ```yaml - id: 'example' upstream: url: 'https://example.com' match: url: 'http://127.0.0.1:4455/' methods: - GET authenticators: - handler: anonymous authorizer: handler: allow mutators: - handler: header config: headers: X-Subject: {{ .Subject }} ``` ``` curl -H "Connection: x-subject" http://127.0.0.1:4455/ ``` The `X-Subject` header will not arrive at the downstream server. It is completely dropped. In case the downstream server handles such a request in an unexpected way, an attacker can exploit this, assuming they know or guess the internal header name. ### Patches c5cc7f736dc84185034be4356057d1c7a656d797 ### Workarounds The downstream server should handle the...
Description: While making an account in demo.avideo.com I found a parameter "?success=" which did not sanitize any symbol character properly which leads to XSS attack. Impact: Since there's an Admin account on demo.avideo.com attacker can use this attack to Takeover the admin's account Step to Reproduce: 1. Click the link below [https://demo.avideo.com/user?success="><img](https://demo.avideo.com/user?success=%22%3E%3Cimg) src=x onerror=alert(document.cookie)> 2. Then XSS will be executed
### Impact The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. ### Patches Yes, see commit [fdc6fef0](https://github.com/XKCP/XKCP/commit/fdc6fef075f4e81d6b1bc38364248975e08e340a). ### Workarounds The problem can be avoided by limiting the size of the partial input data (or partial output digest) below 2^32 - 200 bytes. Multiple calls to the queue system can be chained at a higher level to retain the original functionality. Alternatively, one can process the entire input (or produce the entire output) at once, avoiding the queuing functions altogether. ### References See [issue #105](https://github.com/XKCP/XKCP/issues/105) for more details.
### Impact Authenticated users in the back end can list files outside the document root in the file manager. ### Patches Update to Contao 4.9.40, 4.13.21 or 5.1.4. ### Workarounds None. ### References https://contao.org/en/security-advisories/directory-traversal-in-the-file-manager ### For more information If you have any questions or comments about this advisory, open an issue in [contao/contao](https://github.com/contao/contao/issues/new/choose).
### Impact It is possible for a user having access to the SQL Manager (Advanced Options -> Database) to arbitrary read any file on the Operating system when using SQL function LOAD_FILE in a SELECT request. So It can access to critical information. ### Patches The patch will be on PS 8.0.4 and PS 1.7.8.9
The `aws_sigv4::SigningParams` struct had a derived `Debug` implementation. When debug-formatted, it would include a user's AWS access key, AWS secret key, and security token in plaintext. When TRACE-level logging is enabled for an SDK, `SigningParams` is printed, thereby revealing those credentials to anyone with access to logs. ### Impact All users of the AWS SDK for Rust who enabled TRACE-level logging, either globally (e.g. `RUST_LOG=trace`), or for the `aws-sigv4` crate specifically. ### Patches - Versions >= `0.55.1` - `0.54.2` - `0.53.2` - `0.52.1` - `0.51.1` - `0.50.1` - `0.49.1` - `0.48.1` - `0.47.1` - `0.46.1` - `0.15.1` - `0.14.1` - `0.13.1` - `0.12.1` - `0.11.1` - `0.10.2` - `0.9.1` - `0.8.1` - `0.7.1` - `0.6.1` - `0.5.3` - `0.3.1` - `0.2.1` ### Workarounds Disable TRACE-level logging for AWS Rust SDK crates.
An old version of TinyMCE include an XSS vulnerability, which was patched in a later version. This was described by TinyMCE: > A cross-site scripting (XSS) vulnerability was discovered in the core parser. The vulnerability allowed arbitrary JavaScript execution when inserting a specially crafted piece of content into the editor via the clipboard or APIs. This impacts all users who are using TinyMCE 4.9.10 or lower and TinyMCE 5.4.0 or lower. We reviewed the potential impact of this vulnerability within the context of Silverstripe CMS. We concluded this is a medium impact vulnerability given how TinyMCE is used by Silverstripe CMS. Reported by: Developers at ACC
The Media oEmbed iframe route does not properly validate the iframe domain setting, which allows embeds to be displayed in the context of the primary domain. Under certain circumstances, this could lead to cross-site scripting, leaked cookies, or other vulnerabilities. Drupal 7 core does not include the Media module and therefore is not affected.