Source
ghsa
### Impact The proposal creation entrypoint (`propose`) in `GovernorCompatibilityBravo` allows the creation of proposals with a `signatures` array shorter than the `calldatas` array. This causes the additional elements of the latter to be ignored, and if the proposal succeeds the corresponding actions would eventually execute without any calldata. The `ProposalCreated` event correctly represents what will eventually execute, but the proposal parameters as queried through `getActions` appear to respect the original intended calldata. ### Patches This issue has been patched in v4.8.3. ### Workarounds Ensure that all proposals that pass through governance have equal length `signatures` and `calldatas` parameters.
A vulnerability was found in mportuga eslint-detailed-reporter up to 0.9.0 and classified as problematic. Affected by this issue is the function renderIssue in the library lib/template-generator.js. The manipulation of the argument message leads to cross site scripting. The attack may be launched remotely. The name of the patch is 505c190efd4905990db6207863bdcbd9b1d7e1bd. It is recommended to apply a patch to fix this issue. VDB-226310 is the identifier assigned to this vulnerability.
AzuraCast/AzuraCast prior to version 0.18.0 is vulnerable to stored cross-site scripting. An issue was identified where a user who already had an AzuraCast account could update their display name to inject malicious JavaScript into the header menu of the site. In a majority of cases, this menu is only visible to the current logged-in user (pages like the `Administer Users` page are unaffected by this vulnerability), but if a higher-privileged administrator uses the `Log In As` feature to masquerade as a user, then the JavaScript injection could exfiltrate certain data. Anonymous members of the public cannot exploit this vulnerability in an AzuraCast installation, so it is primarily of concern for multi-tenant installations (i.e. resellers).
### Summary Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. ### Details Strapi through 4.5.5 allows authenticated Server-Side Template Injection (SSTI) that can be exploited to execute arbitrary code on the server. A remote attacker with access to the Strapi admin panel can inject a crafted payload that executes code on the server into an email template that bypasses the validation checks that should prevent code execution. ### IoC Using just the request log files, the only IoC to search for is a `PUT` request to URL path `/users-permissions/email-templates`. This IoC only indicates that a Strapi email template was modified on your server and by itself does not indicate if your Strapi server has been compromised. If this IoC is detected, you will need to manually review your email templates on your Strapi server and backups of your database to see if any of the templates contain a `lodas...
### Summary Strapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. ### Details Strapi through 4.7.1 allows unauthenticated attackers to discover sensitive user details for Strapi administrators and API users. The unauthenticated attacker can filter users by columns that contain sensitive information and infer the values by the changes in the API responses. An unauthenticated attacker can exploit this vulnerability to hijack Strapi administrator accounts and gain unauthorized Strapi Super Administrator access by leaking the password reset token and changing the admin password. This can be exploited on all Strapi versions <=4.7.1. ### IoC The exploitation of CVE-2023-22894 is easily detectable, since the payload is within the GET parameters and are normally included in request logs. The following regex pattern will extract requests that are exploiting this vulnerability to leak user's email, password and pass...
PowerJob V4.3.1 is vulnerable to Incorrect Access Control via the create user/save interface.
### Impact In XWiki, every user can add translations that are only applied to the current user. This also allows overriding existing translations. Such translations are often included in privileged contexts without any escaping which allows remote code execution for any user who has edit access on at least one document which could be the user's own profile where edit access is enabled by default. The following describes a proof of concept exploit to demonstrate this vulnerability: 1. Edit the user profile with the wiki editor and set the content to ``` error={{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groovy}}println("hello from groovy!"){{/groovy}}{{/async}} ``` 2. Use the object editor to add an object of type `XWiki.TranslationDocumentClass` with scope `USER`. 3. Open the document `WikiManager.AdminWikiDescriptorSheet`. The expected result would be that a message with title `{{/html}} {{async async="true" cached="false" context="doc.reference"}}{{groo...
### Impact Improper header parsing. An attacker could sneak in a newline (`\n`) into both the header names and values. While the specification states that `\r\n\r\n` is used to terminate the header list, many servers in the wild will also accept `\n\n`. ### Patches The issue is patched in 1.9.1 and 2.4.5. ### Workarounds There are no known workarounds. ### References * https://www.rfc-editor.org/rfc/rfc7230#section-3.2.4
### Impact When run in debug mode, Cilium may log sensitive information. In particular, Cilium running in debug mode will log the values of headers if they match HTTP network policy rules. This issue affects Cilium versions: - 1.7.* to 1.10.* inclusive - 1.11.* before 1.11.16 - 1.12.* before 1.12.9 - 1.13.* before 1.13.2 In addition, Cilium 1.12.* before 1.12.9 and 1.13.* before 1.13.2., when running in debug mode, might log secrets used by the Cilium agent. This includes TLS private keys for Ingress and GatewayAPI resources, depending on the configuration of the affected cluster. Output of the confidential data would occur at Cilium agent restart, when the secrets are modified, and on creation of Ingress or GatewayAPI resources. ### Patches This vulnerability is fixed in Cilium releases 1.11.16, 1.12.9, and 1.13.2. ### Workarounds Disable debug mode. ### Acknowledgements The Cilium community has worked together with members of Isovalent to prepare these mitigations. Special th...
### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read...